Lessons  from  the  true  crime  story  of  a  Russian  hacker  page  so 


Mature  Rating 

Find  out  how  your 
security  practices 
stack  up  in  our 
exclusive  survey 

PAGE  46 


Holes  in 
the  System 

A  better  way  to 
report  software 
security  bugs 

PAGE  59 


urviffl 


11 

•  Jr* .  i 

WJP&-  1 

and  growing  influence 


EXCLUSIVE  CSO  Survey  shows  signs 


HanniF  mT«r,*nf 

II  yo<*  don  t  tft>m  to 

ft,  „--ty 

uttb'My.V*  *na»  ? 
owj.idWnt'W'hrT-.' 


KE^>rr  CLEAN 
Hor  40^.  yvJ'  gfc*"P*ry 

wtiiW^H'AyJ'w-.t-y 


mt  msouncl  riw  stcumTY  rjtcultvts 


BUILDINGTHE 
FUTURE  CSO 


www.csoonline.com 

This  is  a  domestic  rate  only  (US  and  Canada). 

The  foreign  rate  is  $95.00  prepaid  in  U.S.  currency. 


SUBSCRIBE  TODAY! 

Yes,  please  enter  my  one-year  subscription 
(12  issues)  to  CSO  magazine,  and  bill  me 
later  for  $70.00! 


Name 


Title 


Company  Name 


Address 


City 


State  Zip 


□  Bill  me  □  Bill  my  credit  card  □  MC  □  VISA  □  AMEX 


Account  Number  Expiration  date 


Signature 


CIN05 


POSTAGE  WILL  BE  PAID  BY  ADDRESSEE 


cso 

ATTN:  CIRCULATION  DEPARTMENT 
PO  BOX  9014 

FRAMINGHAM  MA  01701-9836 


1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 


It’s  a  big  world  out  there,  and  your  remote  offices  can  be  all  over  it.  But  no  matter 
where  they  are,  you  can  keep  them  secure  with  the  Symantec™  Gateway  Security 
5400  Series  and  Symantec™  Gateway  Security  400  Series  appliances.  Install  the 
5400  Series  in  your  main  office  and  the  400  Series  in  your  smaller  locations  and 
you’ll  have  comprehensive  gateway  protection  wherever  you  need  it.  To  learn  how  to 
protect  your  company’s  critical  information,  go  to  http://ses.symantec.com/appliances 
or  speak  with  your  Symantec  Certified  Partner. 


Ip 


fas  ••  ■  ■ 


Symantec, 


Knowing  is  more  than  being  aware.  It's  about  being  able  to  determine,  prioritize 
and  deliver  what  and  how  much  protection  is  needed  and  where.  You  can't  eliminate 
risk  completely,  but  you  can  manage  it  and  reduce  your  exposure  time. 

NetlQ  Security  Management  is  the  only  way  to  manage  risk,  assure  compliance  and 
secure  assets.  Our  knowledge-based  software  solutions  are  intelligent  and  simple  to  use. 
Only  NetlQ,  a  leader  in  systems  and  security  management,  gives  you  the  assurance  of 
knowing  that  risk  is  mitigated  and  your  enterprise  is  secure,  available  and  performing. 

'  ■  '  '  i  .  ••  ’  '  . 

■’  ■  ■  '■  /•'  ' j. 1  '  v'^'v 

;  >}!  :•  '•'  >  '  v  /•  ■  Corporation.  A!l  rights  reserved.  NetlQ  and  the  NetlQ  logo  are  registered  trademarks  of  the  NetlQ  Corporation. 


’ 

i 


Knowing 

that  you're  managing  risk 


Knowing  is  everything!' 


28  Identity  Protection 

SECURITY  COUNSEL  Judith  Collins,  an  associate  profes¬ 
sor  at  the  School  of  Criminal  Justice  at  Michigan  State 
University,  answers  readers’  questions  about  securing 
customers’  and  employees’  personal  information. 


56  Why  Convergence  Is  Elusive 

CSO  UNDERCOVER  Last  month,  CSO’s  editor  asked  why 
CSOs  can’t  all  just  get  along  in  a  world  of  converged 
security  management.  The  problem  is  that  we’ve  got  to 
raise  our  profiles  in  the  corporate  world  first. 


19  Briefing 

The  electronic  road  to  the  White  House;  Employers 
fight  Oklahoma  gun  law;  Ridge’s  successor  can  beef 
up  public-private  ties;  The  Security  Blotter;  Top  10 
security  laws  to  live  by. 


30  Russian  Roulette 

CYBERCRIME  Hacker  Alexey  Ivanov  was  lured  to  the  United 
States  and  snared  in  a  high-stakes  cyber-sting.  The  FBI  says 
he  got  what  he  deserved.  But  Ivanov  says  his  gamble  paid 
off.  In  the  end,  he  got  what  he  wanted  all  along. 

By  Art  Jahnke 

38  cover  story  Reality  TV 

VIDEO  SURVEILLANCE  Reasons  to  invest  in  new  video  surveil¬ 
lance  systems  are  everywhere.  Zoom  in  on  these  six  insights 
to  help  you  focus  on  what’s  important.  By  Scott  Berinato 


27  Wonk 

Challenges  in  and  out:  As  DHS  struggles  to  find  a 
permanent  cybersecurity  chief,  its  CIO  and  CISO  are 
grappling  with  challenges  of  their  own.  By  Al  Sacco 

59  Machine  Shop 

Beyond  passport  vulnerabilities:  Security  flaws  in 
high-profile  products  like  Microsoft’s  Passport  led 
experts  and  vendors  to  find  new  ways  to  disclose  bugs. 
By  Simson  Garfinkel 

TOOLBOX  Fire  suppression  without  the  water  damage 


Cover  photo  by 
Getty  Images 


46  A  Long  Way  to  Grow 

INFOSECURITY  SURVEY  First  results  from  a  new  security 
management  survey  indicate  that  many  companies  have 
only  rudimentary  practices  in  place. 

By  Derek  Slater  and  Lorraine  Cosgrove  Ware 

50  Securing  the  Post-Human  Future 

THE  LONG  VIEW  CSOs  will  likely  live  to  see  the  day  when 
human  brains  are  augmentable  through  an  array  of  knowl¬ 
edge  implants  and  other  applications.  By  Frecl  Hapgood 


N  EVERY  ISSUE  8  CSOonline.com  10 


64  Debriefing 


TIME  LINE  Great  moments  in  vulnerability 
disclosure 


Letter  from  the  Editor  14  Letters  62  Index 


4  www.csoonline.com  January  2005 


mm 


fc*  »:>' 


m  mm 


'j»  i. )  c'Sjv,!', 

■  ■  ■  . . *J  ;  ;  '  ■  i  t 


■  ■  'vv 


i  CLASS 

by 

HID 

©  2004  HID  Corporation.  All  rights  reserved. 


Proximity.  Multi-Technology  Cards.  iCLASS. 

The  sort  of  sensible  ingenuity  you’d  expect  from  HID  - 
the  v^Tdwide  leader  in  access  control. 

D  Corp .  com/work 


Smart.  Powerful.  Trusted. 


All  In  a 


Photo  ID 

7:42  AM 

Verify  your  identity  to  the 
parking  entrance  guard  by 
presenting  your  photo  ID  card 
with  the  company’s  hologram. 

Access  Control 

7:49  AM 

Open  the  door  to  your  facility 
with  HID’s  125  kHz  proximity, 
the  technology  that  opens 
thousands  of  doors  each  day! 

Logical  Access 

9:02  AM 

Use  your  contact  smart 
chip  module  to  log  on  to 
the  network  and  access  your 
PKI  applications. 


■  . 
■  ^ 


‘to.  . 


<> 

co  — 

o 


Cashless  Vending 

11:53  AM 

It’s  make-your-own- 
taco  day,  and  your  card’s 
magnetic  stripe  works  with 
the  legacy  system  in  the 
cafeteria. 

Biometrics 

2:02  PM 

Gain  access  to  high- 
security  areas  in  your 
building  using  your 
fingerprint,  handprint,  or 
iris  -HID  can  store  your 
biometric  template  on 
your  card  using 
13.56  MHz  iCLASS 
contactless  smart  card 
technology! 

Time  & 
Attendance 

5:15  PM 

After  a  productive  day’s 
work,  clock  out  with  your 
card  -  time  to  relax! 


nadcmarks  or  trademark' 
respective  owners. 


How  did  80%  of  information 
become  100%  useless? 

What  if  information  could  find  its  way  in  and  out  of 
databases,  all  on  its  very  own?  With  the  Adobe 
Intelligent  Document  Platform,  it's  possible. When  you 
combine  the  logic  of  XML  and  Adobe  PDF,  suddenly 
documents  are  smarter.  Unstructured  content  unifies  with 
structured  data.  And  information  intuitively  travels  where 
it's  needed,  safely  and  securely.  It's  simplicity  at  work. 
The  Intelligent  Document  Platform.  Better  by  Adobe: 


Adobe 


See  how  smarter  documents  are  working  for  other  companies  at  adobe.com/idp. 


Adobe  Intelligent  Document  Platform 


16% 

Wireless 

Security 

21% 

Disaster  A 
Recovery  J1 


19% 

Other 


Antivirus 


Management 


Career  Adviser 

Joyce  Brocaglia  and  Pete  Metzger  are 
available  online  to  help  you  advance  in 
your  career.  Brocaglia  is  a  founder  and 
CEO  of  Alta  Associates,  a  premier  exec¬ 
utive  recruiting  agency  that  specializes 
in  information  security.  Metzger  leads 
the  global  security  practice  for  execu¬ 
tive  search  organization  Heidrick  & 
Struggles  International.  Don’t  be  shy. 
Ask  your  job-related  questions  now. 
www.csoonline.com/adviser 

Gone  But  Not  Forgotten 

Already  misplaced  your  December 
copy  of  CSO ?  No  worries.  You  can  find 
it  (and  every  other  issue  of  CSO )  on 
the  Web.  The  December  issue,  nick¬ 
named  “The  Image  Issue,”  includes 
several  self-help  articles  for  CSOs 
working  to  improve  their  image  and 
presentation  skills. 
www.csoonline.com/read 

Research  Center 
Spotlight:  Privacy 

Learn  the  basics  of  protecting  customer 
privacy  and  read  in-depth  articles  on 
topics  such  as  HIPAA,  phishing,  Total 
Information  Awareness  and  much 
more.  You’ll  also  find  links  to  various 
privacy  resources  from  the  Web. 
www.csoonline.com/research/privacy 

Something  for  Nothing 

CSO  newsletters  are  delivered  right  to 
your  inbox  for  free.  Sign  up  for  newslet¬ 
ters  on  CSO  careers,  leadership  and 
technology,  or  just  stay  in  tune  with  the 
most  recent  updates  to  CSOonline.com. 
Sign  up  now. 

www.csoonline.com/newsletters 


How  Capable  Is 
Your  Security 
Organization? 

With  a  tool  codeveloped  by  CSO 
and  Carnegie  Mellon  Univer¬ 
sity’s  CERT  Coordination 
Center,  called  the  Security 
Capability  Model,  you  can 
benchmark  your  security  organ¬ 
ization  against  others  in  22  sep¬ 
arate  practices  (see  “A  Long 
Way  to  Grow,”  Page  46).  Then 
take  the  survey  for  yourself.  Go 


Si 


“Buying  new  technological 
security  solutions  every  time 
there  is  a  new  threat  or  a  security 
event  is  not  always  the  answer” 

-DR.  BILL  WOLOCH,  CEO,  HOLISTIC  SECURITY  CONSULTING.  FROM  "BLAME  GAME." 

WWW.CSOONLINE.COM/TALKBACK/110904.HTML 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


President  and  CEO  Walter  Manninen 
Group  Publisher  Gary  J.  Beach 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Lew  McCreary 
Editor  Derek  Slater 
Managing  Editor  Michael  Goldberg 
Managing  Editor,  Production  Cheryl  R.  Asselin 
Senior  Editors 

Scott  Berinato,  Todd  Datz,  Sarah  D.  Scalet 
Editor  at  Large  Simson  Garfinkel 
Departments  Editor  Kathleen  S.  Carr 
Contributors  Fred  Hapgood,  Grant  Gross 

COPY  TEAM 

Senior  Copy  Editors 
Diann  Daniel,  Emily  S.  Henderson 

Copy  Editor  Cathy  Maiien 
Assoc.  Copy  Editor  Daniel  John  Robinson 
Editorial  Assistants 

Daniel  J.  Horgan,  Margaret  Locher,  Al  Sacco 

RESEARCH  &  PROJECTS 

Research  Editor  Lorraine  Cosgrove  Ware 
Editorial  Resource  Manager  Carol  Zarrow 
Associate  Research  Analyst  Julie  Hanson 
Special  Projects  Manager  Lynne  Z.  Rigolini 

DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Steve  Traynor 
Associate  Art  Director  Chandra  Tallman 
Design  Operations  Specialist  Rachel  Barnett 

ONLINE  EDITORIAL 

Web  Editorial  Director  Art  Jahnke 

Consulting  Editor  Janice  Brand 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 

ONLINE  &  INFORMATION  SYSTEMS 

Chief  Information  Officer  Mark  Hall 

ONLINE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
E-Commerce  Manager  Andrew  Burrell 
Online  Production  Specialist  Rupal  Patel 

Online  Producers  Todd  Borglund, 
Shannon  Macdonald,  Jen  McCarthy 

Designer  Graham  White 

INFORMATION  SYSTEMS 

Director  of  Information  Technology  Dagmar  Eiben 
Infrastructure  Manager  James  C.  Burgoyne 
User  Services  Manager  Ron  Bettencourt 

Senior  User  Services  Specialists 
Michael  Fahlsing,  Jonathan  Frappier 

Systems  Administrator  Robert  Reagan 

Senior  Web  Developers 
Sean  McCracken,  Ellen  Morey 

Associate  Web  Developer  Anthony  Servideo 

CHIEF  SECURITY  OFFICER 
CXO  MEDIA  INC. /IDG 

Robert  Hayes 


INTERNATIONAL  DATA  GROUP 

Board  Chairman  Patrick  J.  McGovern 
CEO  Pat  Kenealy 


j 


I'BRA 

WORLDWIDE 


8  www.csoonline.com  January  2005 


©  CXO  Media  Inc. 


SINGLE  PLATFORM, 
MULTIPLE  CREDENTIALS 


ONE  SOLUTION  FOR 
WINDOWS  LOG-ON,  VPN, 
AND  WI-FI  ACCESS 


NEXT-GENERATION  TOKEN 


OPEN  STANDARDS, 
PROVEN  INFRASTRUCTURE 


<*)  UP  TO  40%  LOWER  TCO 


Introducing  VeriSign  Unified  Authentication 


Many  devices.  Many  threats.  One  platform  that  secures  it  all. 


V  V,  .  •  i.T-. 


Introducing  VeriSign'  Unified  Authentication:  an  open,  extensible  platform  plus 
next-generation  devices,  all  designed  to  integrate  with  your  existing  infrastructure. 
Deploy  multipurpose  credentials  that  support  Windows'  log-on,  VPN,  Wi-Fi  roaming, 
and  application  security.  Scale  your  network  security  to  meet  the  authentication 
demands  of  employees,  customers,  and  business  partners.  And  reduce  your  TCO  up 
to  40%  — without  getting  locked  into  a  proprietary  system.  For  more,  visit 
www.verisign.com/unified-authentication  VeriSign.  Where  it  all  comes  together.™ 


c  2004  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  "Where  it  all  comes  together."  and  other  trademarks,  service  marks,  and  designs  are  registered  or  unregistered 
trademarks  of  VeriSign  and  its  subsidiaries  in  the  United  States  and  in  foreign  countries  Windows  is  a  registered  trademark  of  Microsoft  Corporation. 


Men  Behaving  Badly 

The  big  talk  recently  in  the  world  of  sports  concerned 
the  player-fan  basketball  melee  in  Detroit,  involving  the 
hometown  Pistons  (mainly  their  fans)  and  the  Indiana 


Pacers  (mainly  light  heavyweight  provocateur  Ron  Artest,  joined  by  a  couple  of 
his  mates).  The  post-fight  analysis  identified  as  a  partial  cause  the  growing  belief 
among  fans  that  they  are  legitimately  part  of  the  show.  And  some  rueful  com¬ 
mentators  observed  that  basketball  has  now  become  more  of  a  show  than  a 
sporting  event,  with  dancing  and  music  and  a  variety  of  interactive  elements  that 
fill  every  pregame,  postgame,  halftime  and  time-out.  Dating  to  the  days  of  Jack 
Nicholson  and  Spike  Lee  baiting  visiting  teams  while  sitting  courtside  in  Los 
Angeles  and  New  York,  fans  have  increasingly  felt  entitled  to  be  part  of  the  show. 

This  happens  not  only  in  basketball;  it  has  also  proven  to  be  a  combustible 
mix  in  baseball,  international  soccer,  hockey  (remember  hockey?)  and  football. 
The  disappearance  of  reasonably  acceptable  behavioral  barriers  has  led  to  a  sit¬ 
uation  where  now  there  are  calls  for  literal  barriers  to  be  built  between  the  fans 
and  the  players.  And  the  day  may  come  when  that  solution  is  adopted.  At  which 
point,  fans  will  be  able  to  fight  only  with  other  fans  and  players  only  with  other 
players.  And  I  guess  that  wall  be  some  sort  of  an  improvement. 

But  men  can  be  seen  behaving  badly  in  many  realms.  We  see  the  problem  of 
lowered  behavioral  barriers  in  full  flower  on  the  Internet.  “Information,”  as  the 
saying  goes,  “wants  to  be  free.”  That  apparently  caused  a  so-called  journalist  to 
feel  entitled  to  misappropriate  content  from  this  magazine  and  offer  it  to 
another  publication  as  his  own.  (A  CSO  reader  saw  some  of  this  purloined  mate¬ 
rial,  recognized  it  as  ours  and  called  up  Editor  Derek  Slater,  who  ran  the  perp  to 
ground.)  The  offense  of  plagiarism,  which  when  I  was  in  grade  school  was  sold, 
persuasively,  as  the  basest  kind  of  intellectual  dishonesty,  is  now  practiced  with 
an  online  shrug  by  eighth-graders  shortcutting  on  homework  and  college 
students  looking  for  an  off-the-rack  term  paper  on  John  Milton’s  use  of  food 
imagery  in  Paradise  Lost  or  on  the  forces  that  led  to  the  Alien  and  Sedition  Acts. 

In  this  issue,  there’s  a  related  story  (see  “Russian  Roulette,”  Page  30)  by  CSO 
Web  Editorial  Director  Art  Jahnke.  Jahnke  pursued  the  story  of  Alexey  Ivanov 
for  a  couple  of  years.  During  much  of  that  time,  Ivanov  was  incarcerated  for 
computer  fraud,  extortion,  conspiracy  and  hacking.  Ivanov,  while  based  in 


Chelyabinsk,  Russia,  was  charged  with  hacking  into 
corporate  networks,  stealing  information  and  attempt¬ 
ing  to  shake  down  the  violated  businesses  for  jobs. 
Finally  one  of  them  offered  to  hire  him.  Unfortunately 
for  him,  the  hiring  managers  were  FBI  agents;  when 
Ivanov  and  an  associate  arrived  in  Seattle  for  their  job 
interviews  (in  which  Ivanov  bragged  of  his  hacking 
prowess),  they  were  busted.  Ivanov  explains  his  crimes 
as  a  sensible  adaptation  to  the  difficulty  of  finding  work 
that  suited  his  skills.  Unlike  other  forms  of  thievery,  in 
which  a  physical  barrier  is  breached  and  weapons  may 
be  used,  Ivanov’s  crime  is  quiet  and  game-like— the 
clicking  of  keystrokes  rather  than  the  violence  of  break¬ 
ing  and  entering. 

How  many  of  the  problems  that  now  demand  atten¬ 
tion  from  security  executives  arise  from  a  kind  of  easy¬ 
going,  shrugging  behavior?  And  how  greatly  does  that 
behavior  deviate  from  bygone  standards  of  greater  con¬ 
straint?  I'm  neither  a  shrink  nor  an  anthropologist.  But 
as  long  as  video  games  can  offer  deeply  “immersive” 
experiences,  what’s  being  bought  along  with  the  soft¬ 
ware  is  a  highly  stimulating,  but  cheaply  earned,  vis¬ 
ceral  sensation  of  being  at  the  center  of  the  action.  (A 
recent  controversial  example  is  the  JFK  assassination 
“game”  in  which  players  try  to  duplicate  Lee  Harvey 
Oswald’s  lethal  shots.)  It  prompts  a  question  that  social 
scientists  dwell  on  with  growing  urgency:  In  what  ways 
does  this  new  habituation  to  virtual  immersion  leak 
over  into  physical  realms?  -Leiv  McCreary 

nicer ea  ry  @  cxo.  co  m 


10  www.csoonline.com  January  2005 


PHOTO  BY  WEBB  CHAPPELL 


Ruthenex 


Strong 


Authentication 


One-Time  Password 


Full  PKI  Support 


The  Authenex  A-Key  hybrid  token  offers  USB  and  one-time 
password  functionality  for  your  company’s  strong  two- 
factor  authentication  needs.  Whether  those  needs  are  VPN, 
LAN,  or  Web,  the  Authenex  A-Key  works  in  conjunction  with 
the  ASAS  authentication  server  to  offer  strong  two-factor 
authentication  with  or  without  PKI.  The  A-Key  also  provides 
128-bit  AES  encryption  and  secure  file  exchange.  The  only 
solution  that  delivers  total  mobility  and  maximum  flexibility  is 
waiting  for  you. 


e-Security 
Less  Overhead 


Hard  Disk  /  File  Encryption 

r 

Secure  File  Exchange 


Available  Now! 

Get  your  free  evaluation  A-Key  now* 

Visit  www.authenex.com/cso  or  call  1  877.288.4363 


Total  Mobility 


*  Certain  terms  and  conditions  may  apply 

©  Auttienex,  Inc  All  tights  reserved  Authenex  A-Key  and  associated  logos  are  registered  ot  unregistered 
trademarks  of  Authenex.  Inc  All  other  trademarks  in  this  document  are  the  sole  property  ol  their  lespec 
live  owners 


WOULDN’T  YOU  PREFER 


aAivmamamm 


t  n  - . ' 


.  rjO 


When 


n  business  losses  are  measured  in  seconds ,  preemption  beats  “reaction”  every  time 


The  only  effective  security  is  preemption.  This  preemptive  power  is  only  available  with  the  Proventia™  Security  Platform  from  Internet 
Security  Systems.  When  security  flaws  are  discovered  in  your  network  and  IT  assets,  Internet  Security  Systems'  world-renowned  research 
team  updates  Proventia  to  immediately  shield  you  before  attacks  are  released.  Proventia  keeps  you  off  the  path  to  disaster  by  preemptively 
securing  your  entire  IT  infrastructure  with  a  unified  family  of  intrusion  prevention  and  vulnerability  management  products.  In  fact,  when 
we  manage  Proventia  for  you,  we'll  even  guarantee  protection.  Need  proof?  Get  your  free  whitepaper,  Preemptive  Protection.- 
Setting  3  New  Standard  in  Security,  at  www.iss.net/proof/cso  or  call  800-776-2362. 


m 


- 


PREEMPTIVE  SECURITY  IS  HERE 


THAT  KEEPS  YOU  OUT  OF  THE  ER? 


NETWORK  &  HOST  INTRUSION  PREVENTION  I  VULNERABILITY  MANAGEMENT  I  MANAGED  SECURITY  SERVICES 


csoletters@cxo.com 


Quantify,  Don't  Qualify 

You’ve  heard  it  before:  Security  is  a  cost 
center.  In  November  we  wrote  “The  Metrics 
Quest,"  about  the  need  to  prove— with  met¬ 
rics— that  the  security  cost  center  has  real 
value.  These  readers  weigh  in. 

EXCELLENT!  IT’S  ABOUT  TIME  SOME- 

one  spent  the  requisite  time  on  metrics.  I’m 
always  torn  on  the  balance  of  the  number 
of  metrics  to  collect  versus  the  amount  of 
energy  expended  to  collect  the  metrics.  We 
all  have  to  adapt  to  our  unique  business 
methods  and  the  risk  models. 

CRIS  DEWITT 

CTO/CSO 
In-Depth  Security 

GOOD  ARTICLE  BUT  I’D  LIKE  TO  SEE 

a  continuation  of  this  subject  that  would 
include  additional  lessons  learned. 

LUIS  H.  MORALES 

Regional  Security  Manager 
Corporate  Security 
Solectron  Technology 

SOME  GOOD  IDEAS  HERE,  BUT  I’M 

still  left  wondering  how  one  justifies  the 
continuing  expense  of  an  information 
security  program  in  which  the  desired 
result  is  that  nothing  untoward  happens. 
We  seem  to  find  ourselves  in  the  position  of 
the  suburban  fellow  beating  a  gong  in  his 
front  yard  to  keep  tigers  away,  with  the 
justification  that  there  haven’t  been  any 
tigers  seen  since  he  started.  Without  real 
incidence  data  (that  is,  “Without  these 
defensive  investments  we  would  have 
incurred  losses  of...”),  we  are  forced  to 
defend  our  budgets  based  on  the  lack  of 
intrusions,  malcode  outbreaks  and  so  forth. 
Which,  of  course,  begs  the  question:  Are 
we  spending  the  right  amount  or  could  we 
really  get  by  with  30  percent  less?  Metrics 
are  the  key  but  which  ones? 

Senior  Consultant 
Fortune  100  company 

In  November  we  wrote  “Scumware  Out 
There,"  reiterating  the  fact  that  security 


vendors  to  date  have  not  been  able  to  root 
out  spyware  and  malicious  code.  We  won¬ 
dered  aloud  what  CSOs  should  do  while 
they  await  a  miracle  cure. 

WELL,  THIS  EXPLAINS  A  LOT.  I  HAVE 

had  to  reconfigure  my  hard  drive  on  my 
laptop  four  times  now.  I’ve  lost  critical  data 
and  spent  hours  trying  to  clean  this  scum 
out  of  my  computer.  Last  night,  I  had  to  do 
it  again;  I  installed  the  patch  Microsoft 
Windows  Service  Pack  2  from  a  disk  I  had 
ordered.  While  I  was  installing  the  patch, 

I  got  two  pop-ups  warning  that  the  Micro¬ 
soft  software  I’d  installed  may  be  vulnera¬ 
ble  and  offering  to  scan  my  root  directory. 

I  attempted  to  close  the  “ad,”  by  clicking 
the  “X”  in  the  upper  right  corner  and  was 
directed  instead  to  a  page  that  began  the 
download.  I  had  to  crash  my  computer  and 
start  all  over  again.  My  friends  and  col¬ 
leagues  were  convinced  that  my  laptop  was 
defective.  My  spouse  thinks  I  surf  illicit 
sites  and  invite  this  junk  into  my  computer. 
I  now  have  Windows  Service  Pack  2,  Nor¬ 
ton  2005,  Spyware  BeGone  and  Trace  no 
more— all  installed.  My  computer  seemed 
to  have  increased  in  speed  by  a  magnitude 
of  10.  I’ll  see  if  I  can  fend  off  the  invasion 
for  a  while  so  that  I  can  complete  my  work 
and  master’s  degree  project  without 
injury.  I’ve  had  to  spend  in  excess  of  $200 


How  to  Reach  Us 

E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CS0  Magazine 

492  Old  Connecticut  Path,  P.0.  Box  9208 
Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

phone:  866  354-1125 
fax:  847  564-9453 
e-mail:  cso@omeda.com 

REPRINTS 

For  article  reprints  (500  quantity  or  more), 
contact  Keith  Williams  at  PARS  international  at 
212  221-9595  x319  or  e-mail  keith@parsintt.com. 

ABOUT  IDG  International  Data  Group  (IDG),  the  lead¬ 
ing  global  provider  of  IT  media,  research,  confer¬ 
ences  and  events,  informs  more  people  about 
technology  than  any  other  company  in  the  world. 
Offering  the  widest  range  of  media  options.  IDG 
reaches  more  than  120  million  technology  buyers  in 
85  countries  representing  95  percent  of  worldwide 
IT  spending.  IDG  publishes  more  than  300  newspa¬ 
pers  and  magazines  in  85  countries,  led  by  the  Com- 
pu terworld,  Infoworld,  Macworld,  Network  World,  PC 
World  and  CIO  global  product  lines.  IDG  offers  online 
users  the  largest  network  of  technology-specific  sites 
around  the  world  through  IDG.net  ( www.idg.net ),  a 
gateway  to  IDG's  330  websites  powered  by  more 
than  2,000  journalists  reporting  from  every  continent 
in  the  world.  IDG  also  produces  168  technology- 
related  conferences  and  events,  and  research  com¬ 
pany  IDC  provides  global  market  intelligence, 
analysis  and  forecasts  in  43  countries. 


on  programs  that  promised  to  remove 
the  adware,  data  miners,  viruses  and 
homepage  hijackers.  I  estimate  the  cost 
of  damages  from  interruptions  in  workflow 
and  productivity  to  be  around  $30,000. 

I  anxiously  await  the  legislation  that 
protects  my  privacy  and  deals  with  the 
criminal  harassment  imposed  by  the 
underhanded  scumware  distributors. 

KURT  JAHNKE 

Lieutenant  Commander 
in  the  Coast  Guard 

We  want  to  hear  from  you. 

To  respond  to  articles  you’ve  read  in  CSO,  write  to 
us  at  csoletters@cxo.com.  We  welcome  your 
thoughts,  suggestions  and  feedback. 


14  www.csoonline.com  January  2005 


v 


SECURITY* 


Confidence  Inspired 


June  1992 

Secured  dial-up  connection 
to  the  office  from  a  convention 
in  Phoenix. 


December  1999 

Safeguarded  VPN  access 
12  miles  outside  of  Aspen. 

October  2004 

Protected  Microsoft®  Windows® 
desktop  while  in  a  holding 
pattern  over  LAX.  No  passwords. 
No  problem. 


www.rsasecurity.com/securid 


@2004  RSA  Security  Inc.  All  rights  reserved.  RSA,  RSA  Security,  and  SecurlD  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.,  in  the 
United  States  and/or  other  countries.  Microsoft  and  Windows  are  either  registered  trademarks  or  trademarks  of  Microsoft  Corporation  in  the  United 
States  and/or  other  countries.  All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


jmgigm  '> 


love. 


*  V  ■ 


.  i 


I 


SonicWALL  TZ170  25-node 
with  8x5  Support 


Can  your  old  security  stand  up  to  today's  threats? 

(Do  you  want  to  bet  your  data  on  it?) 


There  are  two  kinds  of  security  threats.  Those  you've  faced  and  those  you  will.  That's  why  CDW  offers  the  latest  security 
solutions  from  top  name  brands.  We  also  have  account  managers  who  can  help  you  find  the  right  solution  for  you.  And  with 
access  to  the  largest  in  stock  inventories,  you'll  get  what  you  need  fast.  So  why  wait?  Peace  of  mind  is  just  a  phone  call  away. 


The  Security  Solutions  You  Need  When  You  Need  Them. 


$314 

CDW  672581 


Model-upgradeable  VPN  endpoint  and  SOHO  firewall 
security  appliance 

Provides  full,  centralized  management,  logging  and  historical 
reporting  for  securing  telecommuter  and  remote  offices 
Includes  dynamic  stateful  packet  filtering,  work/home 
network  separation  and  network  address  translation  (NAT) 


WatchGuard  Firebox®  X5 


Delivers  flexible  scalability  to  organizations  of  all  sizes 
Optional  port  can  be  configured  as  a  WorkPort  for 
telecommuters,  a  second  LAN  for  added  internal 
security  or  a  second  WAN  for  ISP  failover  and  load 


79 

CDW  636209 


MHiSWMii  iSSR  i  a 


Customer  understands  that  CDW  is  not  the  manufacturer  of  the  products  purchased  by  customer  hereunder  and  the  only  warranties  offered  are  those  of  the  manufacturer,  not  CDW.  All  pricing  is  subject  to  change.  CDW  reserves  the  right  to  make  adjustments  to  pricing,  products  and  service  offerings  for 
reasons  including,  but  not  limited  to,  changing  market  conditions,  product  discontinuation,  product  unavailability,  manufacturer  price  changes  and  errors  in  advertisements.  All  orders  are  subject  to  product  availability.  Therefore,  CDW  cannot  guarantee  that  it  will  be  able  to  fulfill  customer's  orders.  The 


SONICWALL 


l/UC 

VatchGuartf^jJr 


Ctsco  Systems 


Authorized 

Reseller 


^  Symantec 


TREND  MICRO 

CHent/Server/ 
Messaging  Suite 

tor  Small  and  Madlum  Buamaaaaa 


TREND 

MICRO 


©Trust" Vulnerability  Menogor 


Computer  Associates* 


terms  and  conditions  of  sale  are  limited  to  those  contained  herein  and  on  CDW's  Web  Site  at  CDW.com.  Notice  of  objection  to  and  rejection  of  any  additional  or  different  terms  in  any  form  delivered  by  customer  is  hereby  given.  ©  2005  CDW  Corporation 


Cisco  PIX  501  50-user/3DES  Bundle 


Delivers  enterprise-class  security  for  small  offices  and 
teleworkers  in  a  reliable,  plug-and-play  security  appliance 
Ideal  for  securing  high-speed  "always  on" 
broadband  environments 

Includes  stateful  inspection  firewall,  virtual  private 
networking  (VPN)  and  intrusion  protection 


CDW  340638 


Symantec™  Gateway  Security 
420  Appliance 


Integrates  stateful  inspection  firewall  with  anitivirus  policy 
enforcement,  IPsecVPN,  intrusion  detection,  intrusion 
prevention  and  content  filtering  technologies 
Offers  integrated  networking  functions  including  a  multi-port 
LAN  switch,  a  router  and  Internet  link  protection  with  automatic 
detection  failover  and  bandwidth  aggregation  capabilities 
Provides  protection  for  wireless  LAN  networks  with  an  access 
point  option  that  extends  security  protection  to  WLAN  clients 
while  allowing  seamless  roaming  within  a  facility 


Wireless  access  card  sold  separately 


CDW  706609 


Trend  Micro  Client/Server/Messaging 
Suite  for  SMB 


Integrated  antivirus  and  anti-spam  solution  for  networked 
workstations,  servers  and  Microsoft  Exchange  servers 
Scan  and  eliminate  viruses  within  a  company's  network 
and  block  spam  at  the  e-mail  server  before  it  reaches  users 
Delivers  low  false-positive  rates  by  combining  advanced 
heuristic  anti-spam  engine  functionality  with  signature 
lookup  capabilities  and  advanced  approved/denied  e-mail  lists 
5-25  user  license 


CDW  639823 


Computer  Associates®  eTrust 
Vulnerability  Manager _ 


Provides  automated  services  and  technologies  that  combine 
vulnerability  assessment,  patch  and  configuration  remediation 
and  compliance  analysis 

Highly  scalable,  easy-to-use  appliance  adapts  to  small, 
medium  and  large  organizations 
Supported  by  the  Computer  Associates  24x7  Security 
Advisory  Team 


CDW  689010 


The  Right  Technology.  Right  Away. 

CDW.com  •800.399.4CDW 
In  Canada,  call  800.387.2173  •  CDW.ca 


40,000  people  worldwide 


■■  ■  -v. 


rnvvv.  isaca.org/certification 

■  '■  ..'.V: 


Demand  Excellence 


CjSM 

CERTIFIED  INFORMATION  , 
SECURITY  MANAGER " 


Register  online  now  for  the 
11  June  2005  exams  at 
www.isaca.org/examreg 


Information  Systems 
Audit  and  Control 
Association ® 


CISA 

CERTIFIED  INFORMATION 
SYSTEMS  AUDITOR 


—%§ji 


:  ... 


For  more  than  30  years  ISACA  has  been  certifying 
professionals  with  its  flagship  certification,  CISA 
(Certified  Information  Systems  Auditor  '),  the  globally 
accepted  standard  among  IS  audit,  control  and 
security  professionals.  In  2002,  ISACA  introduced 
CISM  (Certified  Information  Security  Manager  ), 
a  groundbreaking  credential  specifically  designed  for 
information  security  professionals  who  manage  an 
information  security  function  of  an  enterprise  or  have 


miii 

Tor* 


Together  these  programs  have  certified  over 


job  skills,  participation  with  a  global  leader  in 
IT  certification-all  of  these  benefits  are  obtained 


Events  deemed  National  Special 
Security  Events  since  1998:  20 

Presidential  inaugurations  designated 
a  National  Special  Security  Event:  2 


Inaugural  procession  route  (in  miles): 

1.7 

First  use  of  floats  in  inaugural  parade: 

1841 

First  time  the  U.S.  Army  used 
flamethrowers  to  clear  snow  from  the 
procession  route:  1961 

Extra  officers  used  in  2001:  1,200 

Extra  officers  projected  on  duty 
in  2005:  2,000 

Military  troops  used  in  1969: 

2,000 

Military  troops  expected  in 
2005:  4,000 

Buildings  along  the  parade 
route  subject  to  surveillance: 

450 

First  use  of  a  bulletproof  limou¬ 
sine:  1965  (Lyndon  Johnson) 

Secret  Service  officials  willing 
to  discuss  security  procedures 
for  the  2005  inauguration:  0 

SOURCE:  THE  ARCHITECT  OF  THE  CAPITOL, 
■INAUGURALS  OF  PRESIDENTS  OF  THE  UNITED 
STATES:  SOME  PRECEDENTS  AND  NOTABLE 
EVENTS." 


E-VOTXNG  E-voting  is  fantastic— or  it’s 
problematic.  During  the  Nov.  2  U.S.  general 
election,  electronic  voting  machines  per¬ 
formed  nearly  flawlessly,  or  they  experi¬ 
enced  serious  problems— depending  on 
whom  you  talk  to.  Here  are  some  states 
where  the  process  broke  down. 

North  Carolina:  Storage  issues. 

More  than  4,500  votes  lost  in  Carteret 
county,  according  to  the  Verified  Voting 
Foundation. 

Florida:  Broward,  Palm  Beach  and 
Miami-Dade  counties  logged  questionable 
results.  More  votes  were  registered  for 
President  George  Bush  than  were  expected 
by  post-election  analysis,  over  100,000, 
according  to  researchers  at  UC  Berkeley. 

Louisiana:  E-voting  machine  malfunc¬ 
tions.  Machines  misrecorded  votes,  often 
switching  votes  from  Kerry  to  Bush,  and 
some  ballots  were  already  filled  out  when 
voters  logged  in  to  the 
voting  machines,  accord¬ 
ing  to  the  Verified  Voting 
Foundation.  , 

Among  the  most 
serious  problems  rais 
by  e-voting  sepimy 
advocates^ 


■  Back-end  vote  tabulators  can  be  easily 
hacked. 

■  Votes  can  be  lost  when  machines  crash. 

■  There’s  no  way  to  conduct  audits  of 
e-voting  results. 

■  There  are  no  verifiable  paper  trails. 

“Electronic  voting  is  a  technology  that  has 

no  safety  net,”  says  David  Dill,  a  Stanford 
University'  computer  science  professor  and 
founder  of  the  Verified  Voting  Foundation. 
“[E-voting  vendors]  are  basically  assuring 
that  these  computerized  voting  numbers  are 
flawless.” 

But  defenders  of  e-voting  tell  a  different 
story: 

■  Machines  eliminate  over-voting. 

■  Machines  reduce  under-voting. 

■  Machines  allow  voters  to  review  their 
choices  before  submitting  a  final  vote. 

According  to  Bob  Cohen,  senior  vice  pres¬ 
ident  of  the  Information  Technology- Associ¬ 
ation  of  America  (ITAA),  which  counts 
e-voting  vendors  among  its  members,  there 
we^geports  of  fewer  than  1,000  problems, 
which  he  says  are  minor  compared  to  the 
™  estimated  40  million  voters  who  used  e-vot- 
„ing  machines  on  Nov.  2.  “You  have  a  handful 
J^xf  incidents  reported,”  Cohen  says.  "The 
electJpnic  voting  problems  were  extraordi- 
njflMM  compared  to  the  big  picture.” 

-Grant  Gross 


CSO  SECURITY  CHECK 


Where  should  President 
Bush  focus  more  attention 
and  resources  in  his 
second  term? 


26% 


Protecting  critical  infrastructure 
Improving  cybersecurity 

■  Endorsing  public-private  partnerships 

■  Mandating  business  regulations 

■  All  of  the  above 


Percentages  based  on  93  responses. 
CSO  Security  Check  is  an  open  weekly 
poll  on  www.csoonline.com. 


f  ... 


mm** 

JV  ART  BOTTOM  BY  PHOTO 


Tuary  2005  ^ iff vC ex# h line.com 


News,  Stats  and  Fast  Facts 

Edited  by  Kathleen  S.  Carr 


The  Electronic  Road 
to  the  White  House 


The  2005 
Presidential 
Inauguration 
Security  Index 


FROM  THE  DEPARTMENT 
OF  VIDEO  SURVEILLANCE 


Ridges  Successor  Can  Beef 
Up  Public-Private  Ties 


i- 


Digital 

surveillance  is 
very  appealing, 
ana  we  ve  bought 
into  some  of 
that— without 
aei  ng  paralyzed 
dv  the  hype. 

We  want  to  let 
someone  else  be 
the  guinea  pig.” 


-SHEILA  BRAMLITT,  DIRECTOR  OF 
CORPORATE  SECURITY  FOR  FIRST 
HORIZON  NATIONAL.  FOR  MORE  ON 
THE  EVOLUTION  OF  SURVEILLANCE 
READ,  “REALITY  T.V.”  ON  PAGE  38. 


HOMELAND  SECURITY  After 
announcing  his  resignation  Nov.  30,  Home¬ 
land  Security  Secretary  Tom  Ridge  was 
asked  if  he  has  made  gains  in  getting  the 
private  sector  to  take  some  of  the  infrastruc¬ 
ture  protection  burden.  “I  think  by  engaging 
them  on  best  practices  in  terms  of  secur¬ 
ing— whether  it’s  a  chemical  facil¬ 
ity,  telecommunications  site  and 
the  like— and  taking  advantage  of 
their  professional  expertise  as  we 
go  about  setting  standards  for 
security,  we  have  been  very  suc¬ 
cessful  to  date,”  Ridge  said. 

CSO  asked  Lynn  Mattice, 
director  of  corporate  security  and 
business  intelligence  at  Boston 
Scientific  and  someone  who  has  discussed 
public-private  partnerships  with  Ridge,  to 
evaluate  these  partnerships.  We  wanted  to 
know  whether  Mattice  thinks  Ridge’s  words 
are  a  prelude  of  security  standards  to  come. 

“Ridge  is  saying  here  that  the  government 
has  used  the  sector  security  organizations 
like  oil  and  gas  and  electrical  to  deal  with 
those  specific  sectors,  but  they  have  not 
reached  out  to  the  broader  security  commu¬ 


nity  yet,”  Mattice  says.  “We  proposed  a 
domestic  security  advisory  council,  which 
Ridge  accepted  when  he  was  head  of  the 
Office  of  Homeland  Security  before  DHS 
was  created  [in  2002].  But,  once  the  office 
was  created,  that  subject  was  put  on  a  back 
burner,  and  it  is  only  just  recently  being 
reconsidered. 

“His  comments  are  most 
definitely  a  precursor  to  the  indi¬ 
cation  that  there  will  be  more 
security  regulations  coming  down 
the  pike,”  Mattice  adds.  “I  think  a 
domestic  security  advisory  council 
is  vital  to  creating  the  kind  of  flow 
of  information  necessary  between 
government  and  industry  and  to 
ensure  that  industry  is  well  represented.  I’d 
make  the  ISACs  [information  sharing  and 
analysis  centers]  part  of  this  council  and  not 
a  separate  group  of  entities.  What’ll  happen 
is  conflicting  issues  will  arise  and  there’ll  be 
deadlock.  We  know  how  ineffective  Congress 
can  be  sometimes.  We  should  learn  from 
this  and  not  create  more  opportunities 
for  deadlock.  There  should  be  a  flow  of 
communication.”  -Kathleen  S.  Carr 


Employers  Fight  Oklahoma  Gun  Law 


WORKPLACE  SAFETY  The  Labor  Department’s  annual  census  of  work¬ 
place  deaths,  released  this  fall,  shows  that  homicide  in  the  workplace  took 
the  lives  of  631  people  in  2003.  That’s  11  percent  of  the  total  5,559  work¬ 
place  fatalities  the  government  recorded  for  the  year.  The  good  news: 

The  2003  figure  represents  the  second-lowest  incidence  of  murder  in 
the  workplace  since  the  government  started  keeping  track  in  1992. 

The  lowest  incidence  (609)  was  in  2002,  while  the  highest  (1,080) 
occurred  in  1994. 

So,  if  workplace  murders  are  trending  downward,  why  is 
Oklahoma  making  it  legal  to  bring  firearms  to  work?  A  new 
state  law  permits  it,  provided  the  bearer  leaves  the 
weapon  in  a  locked  car  on  the  employer’s  property. 

In  response,  employers  including  energy  companies 
ConocoPhillips  and  the  Williams  Cos.  filed  suit,  asking  a 
federal  court  to  overturn  the  law  because  it  vio¬ 
lates  a  property-owner’s  right  to  exclude 
anyone  with  a  weapon  and  thus  preserve 
workplace  safety,  The  Associated  Press 
reports.  Tulsa  police  officials  concur, 
telling  Tulsa  TV  station  KOTV  they  fear  the 
law  will  lead  to  an  increase  in  workplace 
violence. 

The  federal  district  court  has  issued  a 


temporary  restraining  order,  putting  the  law  on  hold, 
while  a  higher  court  rules  on  whether  violations  of 
the  new  law  are  criminal  or  civil,  according  to  AP. 
Oklahoma  lawmakers  advocated  for  its  pas¬ 
sage  by  saying  that  workers  should  be  able  to 
protect  themselves,  for  example,  during  late- 
night  commutes.  “A  lot  of  these  businesses 
have  late-night  shifts,  and  these  employees  are  sub¬ 
ject  to  being  violated  by  any  type  of  predator  that  may  be 
armed,”  Democratic  State  Sen.  Frank  Shurden,  a  coauthor  of 
the  law,  told  AP. 

Paul  Viollis,  a  workplace  violence  prevention  expert  and  president 
of  New  York-based  Risk  Control  Strategies,  calls  the  firearms-OK-at- 
work  law  irresponsible.  “I  have  no  doubt  that  any  state  that  permits  an 
employee  to  bring  a  loaded  firearm  to  work  will  affect  the 
rise  of  workplace  violence.  Legally  permitting  American 
citizens  to  go  to  work  and  bring  a  loaded  firearm  is 
ludicrous,”  he  says. 

He  adds  that  while  the  Occupational  Safety  and 
Health  Administration  gives  employers  the  right  to 
enforce  restrictions  on  firearms  in  the  workplace, 
this  new  Oklahoma  law  creates  a  burden  on  the 
CSO  working  to  keep  employees  safe.  -K.S.C. 


20  www.csoonline.com  January  2005 


PHOTO  TOP  BY  AP;  BOTTOM  BY  PHOTONICA 


Advertisement 


Working-At-Home  Walter 


Who  con  blame  Working-At-Home  Walter  for  feeling  o  bit 
smug  os  he  tunes  his  radio  to  the  morning  traffic  report? 
He’s  not  stuck  in  that  freeway  mess  caused  by  the 
overturned  lobster  truck.  He  hasn’t  even  shaved, 
and  may  well  not  until  dinner.  Working-At-Home 
Walter  has  swapped  his  wingtips  for  fuzzy  slippers,  but 
still  manages  to  stay  highly  productive— not  to  mention 
better  fed  than  his  in-office  compatriots.  As  Working- 
At-Home  Walter  says,  it’s  all  a  matter  of  having  the 
right  technology  to  make  a  home  a  castle  of  productivity. 

Do  you  feel  you  are  really  as  productive  at  home  as  you  used 
to  be  in  the  office? 

Actually  no.  I’m  more  productive!  It  took  me  a  while  to  realize 
that  all  those  water  cooler  conversations,  nosh  breaks,  meetings 
that  always  seem  to  run  longer  than  they  need  to,  and  other  office 
antics  didn’t  help  my  productivity  one  iota.  At  home,  I’m  totally 
focused.  I  have  more  flexibility,  too.  If  I  have  to  stop  work  at  4:30  to 
start  dinner— I'm  a  great  cook  you  know— I’ll  go  back  to  work  at  7 
to  finish  up. 

How  has  your  boss  reacted  to  your  working  at  home 
so  much? 

My  boss  and  the  rest  of  the  brass  believe  that  happy  workers  are 
productive  workers.  Mobile  technology  from  Nokia  has  helped  me 
balance  my  home  and  work  life.  I’m  very  highly  motivated  to  be  as 
productive  here  as  I’d  be  in  the  office,  maybe  even  more  so,  because 
working  at  home  gives  me  that  balance  I  need. 


About  the  Interviewer 


jfHUiU!  Bill  Laberis  was  editor  in  chief  of 
Computerworld  for  ten  years  (1986-1996). 
He  is  president  of  Bill  Laberis  Associates,  a  cus¬ 
tom  publishing  and  content  company 
(www.laberis.com).  His  columns,  Webcasts, 
supplements  and  magazines  are  well-known  and 
respected  throughout  the  high-tech  industry. 


sofa  jockeys  like  me  has  been  no  problem.  Excuse  me  a  second.  Gotta 
take  a  call  from  one  of  my  kids  at  soccer  practice. 

So  what’s  the  secret? 

In  a  word,  Nokia.  Only  it’s  no  secret  because  the  company  is  world 
renowned  for  helping  guys  like  me  commute  less,  connect  with 
coworkers  from  the  comfort  of  my  patio  lounge  chair,  and  work  in  my 
pj’s.  My  mom  got  me  these,  so  no  laughing,  OK? 

What  are  the  most  important  technologies  for  your 
work-at-home  success? 

My  laptop  is  numero  uno  with  me,  but  only  if  I  can  have 
confidence  that  the  connection  I  have  back  to  corporate  is  secure, 
given  the  info  I  need.  Mobile  email  is  my  killer  application  so  it  has  got 
to  be  working  24/7. 

Why  is  security  so  important  to  you? 

Don’t  let  the  slippers  and  pajamas  fool  you.  I’ve  got  an  important 
major  accounts  job.  I  need  access  to  business-critical  information 
intended  for  very  few  eyes.  That  access  has  to  be  as  secure  as  the 
gold  at  Fort  Knox.  So  we  use  Nokia  Secure  Access  System.  I’m  no 
computer  whiz,  but  I’m  told  this  system  leverages  something  called 
SSL  technology  running  on  Nokia’s  IP  Security  Platforms.  Look,  the 
bottom  line  is  this:  Instead  of  worrying  if  my  data  is  safe,  I  get 
anytime,  anywhere  access  to  email,  the  corporate  intranet,  manage¬ 
ment  portals,  and  just  about  any  data  I  need— instantly  and  in  real 
time.  It’s  way  cool! 

What  other  mobile  technologies  work  for  you? 

I  love  my  Nokia  6820.  It  gives  me  quick  and  reliable  access  to  the 
data  I  need  and  the  people  I  want  to  contact.  It’s  got  a  great  color 
screen  for  my  tired  eyes.  The  quality  of  the  speakerphone  for  confer¬ 
ence  calling  is  outstanding.  Depending  on  my  mood  and  needs,  I  also 
use  my  smartphone  based  on  the  Nokia  Series  60  software 
platform.  It’s  unbeatable  for  voice  and  data  connections,  whether  for 
email  on-the-fly  or  just  messing  around  on  the  Internet. 


And  the  IT  people,  what  do  they  think  of  your  working 
remotely? 

My  buddy  Joe  in  IT  says  it  doesn’t  matter  to  him  and  his  crew 
where  I  work.  Nokia  helped  the  IT  department  apply  best  IT  practices 
to  all  the  mobile  gear  they  support,  so  extending  key  applications  to 


You  are  in  great  shape.  How  do  you  stay  away  from  the 
refrigerator  during  the  day? 

Working  at  home  takes  some  discipline.  I  ration  myself  two  trips  to 
the  kitchen  for  snacks  a  day,  just  like  a  regular  office  break.  And  once 
in  a  while  I  ask  my  wife,  “Honey,  do  I  look  fat?”  Let’s  just  say  I  married 
an  honest  woman. 


Learn  how  to  mobilize  your  team  and  increase  business  productivity. 
Download  “The  Anytime,  Anyplace  World”  white  paper. 

nokiaforbusiness.com 


Produced  by: 

^NetworkWorld 

VJcuSTOnEDU^OUJTIONSn 


NOKIA 

Connecting  People 


\ 


THE  SECURITY  BLOTTER 

Breaches,  scams  and  other  recent  incidents  of  note 


Terror  threat  lowered  for  financial  sites.  On 

Nov.  10,  the  Department  of  Homeland  Security 
lowered  the  threat  level  for  the  financial  services 
sector  in  New  York  City,  northern  New  Jersey  and 
Washington,  D.C.,  from  Orange  (high)  to  Yellow 
(elevated).  DHS  had  raised  the  threat  level  on 
Aug.  1,  2004,  citing  intelligence  reports  that 
caused  state  and  local  authorities  and  financial 
companies  to  beef  up  security  screenings  and 
buffer  zones  around  offices. 

Suspected  mobster  charged  with  ID  theft  via 
phishing.  An  alleged  Russian  mobster,  the  subject 
of  FBI  and  police  investigations  in  three  states,  was 
arraigned  on  Nov.  8  in  a  Boston  area  court  on  mul¬ 
tiple  counts  of  fraud,  identity  theft,  larceny  and 
receiving  stolen  goods,  according  to  the  Boston 
Herald.  Andrew  Schwarmkoff,  28,  allegedly  used 
phishing  attacks  to  collect  the  confidential  infor¬ 
mation.  When  police  arrested  Schwarmkoff,  they 
found  credit  card  scanners,  more  than  100  bogus 
identity  cards,  $200,000  in  stolen  goods  and 
nearly  $15,000  in  cash.  Schwarmkoff  was  held  on 
$100,000  cash  bail. 


NBA  reviews  security  after  brawl.  After  the  Nov. 
19  melee  between  unruly  fans  and  several  players 
from  the  Indiana  Pacers  and  Detroit  Pistons  at  The 
Palace  of  Auburn  Hills,  Mich.,  arena,  the  National 
Basketball  Association  issued  suspensions  to 
seven  players— and  a  promise  to  reevaluate  secu¬ 
rity  procedures  at  all  29  league  venues. 

The  NBA  brawl  prompted  the  National  Football 
League  to  remind  its  32  franchises  about  security 
rules  and  fan/piayer  interactions.  The  NFL's  secu¬ 
rity  chief,  Milt  Ahlerich,  says  he  speaks  regularly 
with  Bernie  Tolbert,  NBA  vice  president  of  security. 
“We  discuss  problems  with  alcohol  management 
and  crowd  control,”  Ahlerich  tells  CSO.  “Preven¬ 


tion  is  the  preferred  approach.  We  have  policies  in 
the  NFL,  and  I’m  talking  to  all  the  stadium  managers 
to  share  good  ideas.  But  everyone  does  it  a  little 
differently.  I  wouldn’t  tell  the  NBA  how  to  do 
its  job.” 

FDA  pushes  RFID  technology  to  stop  counter¬ 
feit  drugs.  Tagging  boxes  with  radio  frequency 
identification  (RFID)  labels  is  the  way  to  stop  coun¬ 
terfeit  prescription  drugs,  according  to  the  Food 
and  Drug  Administration.  The  FDA  published  a 
guide  for  drugmakers  to  run  their  own  feasibility 
studies  on  implementing  RFID  tags.  The  govern¬ 
ment  wants  drug  boxes  to  carry  the  tags  by  2007. 
The  electronic  tags  will  let  drug  manufacturers  and 
distributors  keep  better  track  of  products  as  they 
move  through  the  supply  chain.  Some  drugmakers 
are  already  on  board.  Pfizer  plans  to  place  RFID 
tags  on  all  Viagra  bottles  sold  in  the  United  States 
in  2005,  a  move  the  FDA  applauds. 

Michigan  bills  target  ID  theft.  Michigan  lawmak¬ 
ers  are  trying  to  make  it  a  felony  for  someone  to 
use  another’s  personal  identification  information 
to  obtain  goods  and  services,  The  Detroit  News 
reports.  The  legislature  is  expected  to  pass  this 
and  other  bills  aimed  at  information  security 
crimes,  including:  extending  the  statute  of  limita¬ 
tions  for  prosecuting  identity  thieves  to  six  years; 
creating  the  right  for  victims  to  obtain  a  police 
report  that  could  help  lessen  the  chance  of  a  poor 
credit  rating;  and  prohibiting  a  merchant  from 
issuing  receipts  that  contain  more  than  four  digits 
of  a  Social  Security  number.  Under  the  proposed 
law,  criminal  charges  could  be  brought  where  the 
victim  lives  and  where  the  actual  crime  took  place. 

TSA  seeks  air  passenger  records  to  test  ter¬ 
rorist  watch  lists.  To  test  a  new  passenger  pre¬ 
screening  system,  the  Transportation  Security 
Administration  on  Nov.  12  ordered  the  nation’s  air¬ 
lines  to  turn  over  information  on  travelers  who 
took  domestic  flights  last  June.  The  airlines  had 
until  Nov.  23  to  hand  over  passenger  name 
records,  which  include  all  data  that  an  aircraft 
operator  has  about  a  traveler’s  name  and  itinerary, 
according  to  TSA's  public  notice.  The  order  applies 
to  72  commercial  and  public  charter  airlines  and 
covers  records  for  an  estimated  50  million  passen¬ 
gers.  TSA  will  use  the  records  to  test  its  Secure 
Flight  program,  which  checks  the  records  on  all 
U.S.  air  passengers  against  terrorist  watch  lists. 


22  www.csoonline.com  January  2005 


1.  If  a  bad  guy  can  persuade  you  to 
run  his  program  on  your  computer, 
it’s  not  your  computer  anymore. 

2.  If  a  bad  guy  can  alter  the  operating 
system  on  your  computer,  it’s  not 
your  computer  anymore. 

3.  If  a  bad  guy  has  unrestricted  physi¬ 
cal  access  to  your  computer,  it’s 
not  your  computer  anymore. 

4.  If  you  allow  a  bad  guy  to  upload 
programs  to  your  website,  it’s  not 
your  website  anymore. 

5.  Weak  passwords  trump  strong 
security. 

6.  A  computer  is  only  as  secure  as 
the  administrator  is  trustworthy. 

7.  Encrypted  data  is  only  as  secure  as 
the  decryption  key. 

8.  An  out-of-date  virus  scanner  is 
only  marginally  better  than  no 
virus  scanner  at  all. 

9.  Absolute  anonymity  isn’t  practical, 
in  real  life  or  on  the  Web. 

10.  Technology  is  not  a  panacea. 

SOURCE:  THE  MICROSOFT  SECURITY  RESPONSE  CENTER'S  "TEN 
IMMUTABLE  LAWS  OF  SECURITY." 


PHOTO  BY  AP:  ILLUSTRATION  BY  ROB  ZAMMARCHI 


mmiMfsaaesim 

\  ’•  •  ’  i'j 


f  AMERICAN 
f  DYNAMICS 


;  .  -V- "  'V^vf 

«\K<  /*  •  ,v  ;  V  •: 

,  *••  .  ,  ii.'t 

'VjVv.- V  5 

. 

■  '  •:  i'  V 

.  •  '  '• 


Transportation  officials  keep  their  eyes 


on  the  road  with  American  Dynamics. 


Transit  officials  rely  on  video  security  from  American  Dynamics  to  put  them  front  and  center  at  the  scene  of  an  accident,  a  traffic  jam 
or  suspicious  activity.  That's  because  American  Dynamics  sets  the  standard  for  intelligent  and  innovative  video  technology,  with  the 
advanced  features  and  systems  compatibility  transit  officials  need.  Our  products  are  built  to  last,  easy  to  install  and  easy  to  use.  We  offer 
a  comprehensive  selection  that  addresses  virtually  every  application,  big  or  small.  So  minimize  your  risks  with  American  Dynamics,  and 
keep  everything  moving  smoothly. 


SpeedDome  Optima  SpeedDome  Ultra 


•TT 1 6E  Advanced 
ome  Controller 


www.americandynamics.net 


•  Intellex®  digital  video  management  systems 

•  SpeedDome®  programmable  dome  cameras 

•  MegaPower™  matrix  switcher/controller  systems 

•  DigiMux™  digital  video  recorder/multiplexer 

•  IntelleView  transaction  monitoring  solutions 

•  Fixed  cameras,  monitors  and  accessories 


Bug  Vendors 

SOFTWARE  VULNERABILITIES 

There  is  a  clear  correlation  between  the  irre¬ 
sponsible  disclosure  of  software  vulnerabili¬ 
ties  and  the  appearance  of  worms,  says 
James  Whittaker.  Whittaker,  chief  scientist 
at  application  security  vendor  Security  Inno¬ 
vation,  says  there  have  been  several  cases  in 
which  worms  wouldn’t  have  been  written  if 
the  bug  hadn’t  been  disclosed. 

So  what  to  do?  Whittaker  advocates  for 
CSOs  to  share  information  about  bugs  with 
software  vendors  so  that  they  can  fix  them.  If 
CSOs  act  collectively,  they  can  improve  soft¬ 
ware  quality  by  disclosing  such  vulnerabili¬ 
ties,  says  Whittaker,  who  is  also  a  computer 
science  professor  at  the  Florida  Institute  of 
Technology.  Departments  Editor  Kathleen  S. 
Carr  talked  with  him  about  responsible  dis¬ 
closure,  government  regulation  and  why  he 
wouldn’t  want  to  be  a  CSO. 

CSO:  Why  are  vendors  taking  software  vul¬ 
nerabilities  more  seriously  now? 

James  Whittaker:  In  the  early  1990s,  what 
sold  software  was  feature  richness.  People 
didn’t  care  about  quality.  In  the  late  1990s, 
the  focus  shifted  to  time  to  market.  The  fea¬ 
tures  had  caught  up  to  each  other.  Internet 
Explorer  and  Netscape  were  exactly  the 
same.  Now,  the  only  distinguishing  factor  is 
quality.  But  quality  costs  a  lot,  and  you  can’t 
charge  for  it.  People  pay  more  for  extra  fea¬ 
tures.  So  vendors  latched  on  to  security  as 
the  one  aspect  of  quality  that  they  could 
charge  for.  Worms  and  exploits  cost  compa¬ 
nies  a  lot  of  money.  So  security  affects  the 
bottom  line.  Vendors  are  focusing  on  secu¬ 


rity  because  they  see  it  as  immediate  cost 
savings.  They  are  advertising  security.  It 
sells  copies.  It's  a  market  differentiator. 

Does  government  need  to  regulate  software? 

I  think  that'd  be  disastrous.  We’ve  made 
massive  strides  for  50  years  in  software  qual¬ 
ity  and  security,  when  compared  to  any  other 
industry.  The  government  needs  to 
look  at  us  in  that  context. 

In  the  1980s  and  1990s,  the 
U.S.  government  developed  a 
great  deal  of  its  own  software 
and  contracted  out  custom 
development— so-called 
GOTS  [government  off-the- 
shelf]  software.  They  even  pre¬ 
scribed  it  to  be  written  in 
Ada,  a  language  specifi-  ^ 
cally  designed  for  error 
avoidance  and  largely 
shunned  by  commer¬ 
cial  entities. 

In  the  mid-’90s, 
the  government 
abandoned  Ada 
and  GOTS,  and 
pushed  to  buy 
more  commer¬ 
cial  off-the-shelf 
software  to 
increase  quality 
and  interoperabil¬ 
ity  and  to 
decrease  cost.  To 
me,  this  was  an 
admission  that— 
despite  superior  pro¬ 
gramming  languages 
(Ada  over  C),  and  more 
money  spent  on  devel¬ 


opment-commercial  software  developers 
were  ahead  of  government  developers.  Since 
then,  government’s  reliance  on  commercial, 
off-the-shelf  software  has  continued. 

I  hate  the  idea  of  being  regulated  by 
someone  who  has  admitted  that  they  can’t 
get  it  right. 

What  can  CSOs  do  to  demand  disclosure? 

Those  poor  bastards.  I’ve  been  recruited  by 
Fortune  50  companies  to  be  their  CSO,  but 
it’s  a  hopeless,  thankless,  impossible  job  to 
do  well.  When  I  consult  with  them  I  say, 
Here’s  a  shoulder  to  cry  on.  They  represent 
the  customer.  It’s  the  CSOs  who  are  kicking 
the  major  vendors  to  do  better.  They 
can  force  change  in  the  industry. 
The  big  vendors  are  most 
afraid  of  the  CSOs. 

Vendors  have  a  deep 
respect  for  CSOs.  So 
power  rests  in  the 
CSOs'  hands.  If  they 
use  their  clout 
I  collectively,  they 
I!  can  institute 
change.  And 
they  need  to. 
Their  butts  are 
on  the  line. 

On  the  govern¬ 
ment  side,  there  is  a 
lot  of  turnover.  In  a 
certain  sense,  it's  a  good 
thing.  Vendors  are  against 
regulation.  The  more  nervous 
vendors  get,  the  more  proac¬ 
tive  they  might  be. 

For  more  on  bug  disclosure,  read 
“Beyond  Passport  Vulnerabilities”  on 
Page  59. 


/ 


W:;:, 


L  \  J 


FROM  THE  DEPARTMENT  OF  KNOW  YOUR  ATTACKER 


-cnm 

Lonot 


m  -'-v  ~  ' *  w • 


s  or  intrusions  in 
mow  whether  insiders 


or  outsiders  were  the  cause. 


SOURCES:  "THE  2004  E-CRIME  WATCH  SURVEY”  CONDUCTED  BY  CSO  MAGAZINE  IN  COOPERATION  WITH  THE  U.S.  SECRET  SERVICE  AND  CARNEGIE  MELLON  UNIVERSITY  SOFTWARE  ENGINEERING 
INSTITUTE'S  CERT  COORDINATION  CENTER 


24  www.csoonline.com  January  2005 


PHOTO  BY  PRESTON  MACK 


ADVERTISING  SUPPLEMENT 


Intellitactics  believes  that  IT 

security  plays  an  essential  role  in  assisting  compa¬ 
nies  to  achieve  and  sustain  a  compliance  environ¬ 
ment.  These  days,  many  IT  security  teams  are 
implementing  security  information  management 
(SIM)  solutions  to  verify  that  the  controls  are  work¬ 
ing — that  is,  that  you  are  actually  doing  what  you 
set  out  to  do,  including: 

•  ensuring  the  validity  and  integrity  of 
financial  systems 

•  protecting  the  privacy  of  customer  data  and 
patient  information 

•  sustaining  the  availability  of  the  nation's 
critical  infrastructure  for  transporting 
water  and  energy,  and  complying  with  other 
homeland  defense  initiatives. 

LEGISLATION  AND  REGULATION 

Recent  regulatory  changes  are  dramatically 
altering  how  companies  conduct  business  and 
manage  risk.  Beginning  with  the  Health  Insurance 
Portability  and  Accountability  Act  of  1 996 
(HIPAA),  which  protects  the  confidentiality  of 
patient  records,  Congress  has  passed  a  variety  of 


ss Security  Information  Management  solutions  assist  in  measuring 
overall  corporate  risk  posture  and  building  out  a  sustainable  compliance 
environment.  Factors  to  consider  in  selecting  a  SIM  solution  should 
include  flexibility  of  reporting,  performance,  scalability,  breadth  of 
platform  coverage  and  adaptability  to  unique  requirements.” 

—  Paul  Proctor,  Vice  President  of  Security  and  Risk  Strategies,  META  Group 


legislation  designed  to  safeguard  the  confidentiality, 
integrity  and  availability  of  information. 

The  Gramm-Leach-Bliley  Act  of  1 999  increases  protec¬ 
tion  for  consumer  privacy  and  data,  while  the  Sarbanes- 
Oxley  Act  of  2002  (SOX)  assigns  accountability  to  the  CEOs 
and  CFOs  of  publicly  traded  companies,  requiring  them  to 
personally  attest  to  the  accuracy  and  integrity  of  the  com¬ 
pany's  financial  reports  and  information.  Meanwhile, 
SCADA  (Supervisory  Control  and  Data  Acquisition)  seeks  to 

protect  the  computer  systems  and 
applications  that  control  and  mon¬ 
itor  the  nation's  utility  and  energy 
industries. 

Auditors  are  engaged  to 


assess  the  business  and  systems  relative  to  specific  legisla¬ 
tion  and  provide  management  with  the  identified  lapses  of 
control  that  put  the  company  at  risk.  However,  the  burden 
of  actually  tightening  controls  to  comply,  resulting  in  rea¬ 
sonably  anticipated  risk,  typically  falls  to  the  people  who 
manage  the  information  infrastructure. 

For  example,  a  recent  audit  of  a  large  regional  bank 
found  ineffective  controls  regarding  the  use  of  e-mail  for 
intra-bank  communication.  In  balancing  the  risks  associated 
with  e-mail  use  against  its  business  benefits,  the  compliance 
officer  recommended  eliminating  e-mail  for  employees 
below  the  executive  level.  Compliance  requires  making  risk- 
mitigating  decisions  every  day;  a  SIM  solution  provides  infor¬ 
mation  to  avoid  decisions  that  could  harm  the  business.  > 


cso 

Custom  Publishing 


ADVERTISING  SUPPLEMENT 


EVALUATING  RISK-MANAGEMENT  PROGRAMS 

The  Gramm-Leach-Bliley  Act  sets  standards  for  safeguarding  customer  informa¬ 
tion.  Sustaining  a  compliance  environment  requires  determining  the  adequacy 
and  effectiveness  of  the  risk-assessment  process.  Accepting  reasonable  risk 
requires  the  ability  to  quickly  report  on  attributes  that  characterize  risk,  such  as 
the  number  of  vulnerabilities  and  attacks  on  sources  of  customer  information. 

Intellitactics'  reporting  correlates  information  on  assets,  vulnerabilities  and 
threats  across  the  infrastructure.  That  capability  helps  IT  staffers  address 
audit  concerns  and  protect  information  assets  by  providing  full  visibility  into 
the  audit  logs  of  the  applications  and  the  infrastructure  they  are  dependent 
upon.  Intellitactics  also  tracks  the  frequency  of  risk  reports,  providing  insight 
into  an  organization’s  process  for  evaluating  its  risk  posture. 


INTELLITACTICS  SIM  SOLUTION 
Invariably,  companies  turn  to  their 
security  and  compliance  officers  to 
develop  plans  and  implement  technol¬ 
ogy  that  will  enable  them  to  maintain 
business  efficiencies  while  tightening 
the  controls  needed  for  compliance. 
Intellitactics  SIM  is  used  around  the 


VERIFYING  COMPLIANCE 

When  the  Securities  and  Exchange 
Commission's  Division  of 
Enforcement  contacts  a  brokerage  to 
inquire  about  the  validity  of  financial 
reports,  the  brokerage  must  demon¬ 
strate  compliance  with  the  Sarbanes- 
Oxley  Act  of  2002  attesting  to  the 
integrity  of  critical  information  assets. 

Using  Intellitactics’  SIM  solution, 
the  brokerage  is  in  complete  control  of 
security  information  that  verifies  and 
validates  compliance  with  SOX  stan¬ 
dards.  Intellitactics  verifies  that  con¬ 
trols  are  working  by  consolidating 
and  analyzing  electronic  logs,  which 
would  be  impossible  to  examine  man¬ 
ually,  by  providing  quick  response  to 
inquiries  that  validate  that  the  chain 
of  custody  relative  to  the  information 
found  in  the  financial  reports  was  not 
compromised. 

Intellitactics’  SIM  enables  risk 
managers  to  respond  quickly  and 
accurately  when  the  SEC  comes 
calling. 


world  by  financial  institutions,  health¬ 
care  conglomerates  and  government 
agencies  as  a  centerpiece  of  enter¬ 
prise  security.  The  benefits: 

•  First,  Intellitactics  acts  as  an  agent¬ 
less  collector  of  high  volumes  of  data 
from  any  number  of  security  devices, 
operating  systems  and  applications. 

•  Next,  Intellitactics  efficiently 
analyzes  the  data  and  immediately 
uses  a  subset  of  data  to  create  a 
smaller  number  of  meaningful  events 
used  for  threat  detection. 

•  Finally,  Intellitactics  reliably  com¬ 
presses  and  stores  all  data  for  future 
use  by  creating  standardized  and 
scheduled  reports  in  order  to  measure 
the  effectiveness  of  controls. 

Intellitactics'  architecture  singularly 
delivers  the  performance  required  for 
real-time  threat  detection  and  the 
capacity  to  handle  the  huge  volume  of 
data  required  for  reporting.  Its  combi¬ 
nation  of  adaptability,  rapid  deploy¬ 
ment  and  reliable  results  provides  an 
attractive  return  on  investment  for 
companies  managing  risk,  sustaining 
compliance  or  ultimately  protecting 
critical  information  assets  from  exploit. 

FRAMEWORKS  AND  STANDARDS 

IT  security  organizations  are  using 
any  number  of  frameworks  and  stan¬ 
dards  to  incorporate  processes  and 
control  objectives  to  tighten  lapses  of 
control.  The  effectiveness  of  the  secu¬ 
rity  infrastructure  is  linked  to  the  suc¬ 


cessful  creation  of  an  environment 
that  complies  with  all  regulations — 
without  crippling  the  business. 
Selecting  a  defensible,  auditable  set 
of  security  controls  is  critical,  and 
implementing  automated  solutions  to 
sustain  the  controls  is  a  must-have  on 
the  road  to  compliance. 

Why  are  frameworks  and  stan¬ 
dards  helpful?  None  of  the  SOX 
legislation,  for  example,  explicitly 
prescribes  for  information  security 
technology  or  processes.  In  fact,  the 
compliance  requirements  themselves 
are  very  high-level,  providing  little  in 
the  way  of  concrete  implementation 
guidelines.  Governance  frameworks 
such  as  COSO  and  aligned  control- 
objectives  frameworks  such  as  COBIT 
(Control  Objectives  for  Information 
and  Related  Technology)  provide  a 
reasonable  roadmap  for  creating  a 
defensible  and  auditable  set  of  secu¬ 
rity  controls.  These  frameworks  are 
supplemented  by  ISO  17799  and  ITIL 
(Information  Technology 
Infrastructure  Library),  as  well  as  by 
internally  developed  criteria  that  pre¬ 
scribe  a  process  for  implementing 
compliance  requirements. 

Organizations  successfully  use 
COBIT,  for  instance,  to  define  spe¬ 
cific  IT  goals,  processes  and  con¬ 
trols.  COBIT's  greatest  achievement 
is  in  unifying  analytical  needs  into  a 
single  model,  lowering  implementa¬ 
tion  costs  and  risks  associated  with 
compliance.  COBIT  includes  in  its 
framework  34  IT  processes,  seven 
information  criteria  and  about  300 
control  objectives,  along  with  audit 
and  management  guidelines.  * 


To  read  more  about  COBIT  and  other 
standards,  or  to  enroll  in  Intellitactics' 
Web  seminar,  "Security  Center  of 
Excellence:  Sustaining  a  Compliance 
Environment,  "visit  www.intellitactics.com. 
Go  to  www.  intellitactics. com/COBIT 
to  see  a  table  of  COBIT  control 
objectives  and  corresponding 
Intellitactics  reports. 


between  the  art  and  science  of  security, 
continuously  weighed  against  the  needs  of 
the  business.  Getting  the  “science’'  part  of  the 
equation  right  is  the  easier  part.  The  technologies 
are  known  entities,  and  better  ones  continue  to 
evolve.  There  are  quantitative  measurements 
around  such  issues  as  intrusion  detection,  foren¬ 
sics  and  regulatory  compliance,  along  with  more 
mature  attempts  to  quantify  the  ROI  of  security. 

It’s  the  “art”  of  security  that’s  the  harder  part— the 
art  of  diplomacy,  of  persuasion,  of  getting  into  and 
understanding  other  mindsets.  It’s  everything 
from  establishing  security  procedures  everyone 
will  actually  follow  to  fostering  positive  relations 
with  senior  executives  and  the  board  of  directors. 
It’s  getting  the  staff  to  think  like  a  hacker  or  ter¬ 
rorist  to  get  ahead  of  potential  threats. 

Join  your  peers  from  business,  industry  and 
government  as  we  tackle  the  challenges  facing 
today’s  senior  security  executives. 


April  10-12, 2005 

Hyatt  Regency  Huntington  Beach 

Huntington  Beach,  CA 

Turn  the  page  for  more 

CSO  Perspectives  conference  details 


Sponsored  by 


Presented  by 


r\ } 


Adobe 


The  Resource  for 
Security  Executives 


SPEAKERS 

Michael  J.  Assante,  CSO, 

American  Electric  Power 

Bob  Bragdon,  Publisher,  CSO  Magazine 

David  Burrill,  CSO, 

British  American  Tobacco 

Roger  Cochetti,  Group  Director, 

US  Public  Policy,  CompTIA 

Bob  Hayes,  CSO,  CXO  Media  Inc.  & 

Former  CSO,  Georgia-Pacific  Corporation 

Nuala  Kelly,  Chief  Privacy  Officer,  DHS 
David  Kent,  CSO,  Genzyme  Corporation 

Lew  McCreary,  Editor  in  Chief, 

CSO  Magazine 

James  McDonnell,  Chief  Security  & 
Information  Officer,  USEC  and  Former 
Director,  Protective  Security  Division 
of  the  Information  Analysis  and  Infrastructure 
Protection  Office,  DHS 

Peter  Metzger,  Partner,  Heidrick  &  Struggles 

Bhavesh  Patel,  Vice  President, 

Information  Security,  Genzyme  Corporation 

John  Pontrelli,  CSO, 

TriWest  Healthcare  Alliance 

Jeffrey  Rosen,  Professor  of  Law,  George 
Washington  University  and  Author  of  The 
Naked  Crowd  and  The  Unwanted  Gaze 

Jeff  Rosenthal,  Vice  President, 

BlessingWhite,  Inc. 

Marshall  Sanders,  Vice  President, 

Global  Security,  Level  3 

Krizi  Trivisani,  C/SO, 

George  Washington  University 

Ira  Winkler,  Industry  Guru  and  Author  of 
Corporate  Espionage  and  Spies  Among  Us 

Amit  Yoran,  Former  Director,  National  Cyber 
Security  Division  of  the  Information  Analysis 
and  Infrastructure  Office,  DHS 

Jonathan  Zittrain,  Conference  Moderator  and 
Cofounder,  Berkman  Center  for  Internet  & 
Society,  Harvard  Law  School 


To  register  and  for 
more  information 

call  800.366.0246  or  visit 
www.csoonline.com/conferences 


April  10-12,  2005 

Hyatt  Regency  Huntington  Beach 
Huntington  Beach,  CA 


We’ll  examine  this  complex  balancing  act  by  looking  at  what  the 
top  practitioners  are  thinking  and  doing,  and  by  listening  to  what 
leading  security  and  privacy  experts  think  will  affect  the  landscape 
of  the  future. 


Governance  and  Convergence: 
Getting  It  Right 

The  convergence  of  physical  and  informa¬ 
tion  security,  if  effectively  governed  within 
an  organization,  assigns  accountability  for 
security  strategy  and  business  plan  cre¬ 
ation  at  the  highest  levels.  It  can  enable 
company  leadership  to  identify,  prioritize 
and  balance  security  issues  and  needs  of 
the  business  through  a  more  comprehen¬ 
sive  approach. 

Enterprise  Risk  Management: 

A  Matter  of  Focus 

Looking  at  and  balancing  risk  on  an  enter¬ 
prise  level  is  the  only  effective  way  to  man¬ 
age  a  corporation  in  our  very  complex 
world.  Explore  how  enterprise  risk  man¬ 
agement  can  give  a  single  view  of  all  types 
of  risks,  and  an  executive-level  manage¬ 
ment  strategy  to  deal  with  them. 

Security  as  a  Business  Enabler 

Perhaps  the  hardest  part  of  security  is  to 
cost  justify  it  and  show  its  value  to  the 
business.  It's  like  buying  an  insurance 
policy— no  one  really  wants  to  spend  the 
money.  What  if  you  could  prove  that  secu¬ 
rity  really  can  add  value? 

What’s  Privacy  Got  to  Do 
With  It? 

The  importance  of  balancing  privacy  and 
security  in  a  digital  age  is  only  overshad¬ 
owed  by  the  perceived  difficulty  of  actually 
doing  it.  The  current  economic,  legal,  and 
regulatory  challenges  after  9/11  have 
made  it  all  the  more  important  to  ensure 
the  adoption  of  good  laws  and  technolo¬ 
gies  that  protect  privacy  and  security  at 
the  same  time.  We  provide  a  roadmap. 


Regulatory  Rundown 

Is  security  on  the  way  to  becoming  a  fully- 
regulated  industry?  An  increasing— some 
say  alarming— number  of  official  commu¬ 
niques  from  legislative  bodies,  regulatory 
agencies  and  industry  consortia  around 
the  world  suggest  that  might  indeed  be  the 
case.  We  look  at  some  of  the  highest- 
impact  issues,  what  CSOs  can  do  to  make 
sense  of  it  all,  and  if  there’s  hope  in  being 
ableto  influence  future  legislation. 

The  Role  of  Government:  One 
Step  Forward,  Two  Steps  Back? 

The  US  government,  particularly  DHS,  has 
had  tremendous  opportunities  to  advance 
the  public  good  and  protect  the  American 
economy  by  strengthening  both  cyber  and 
physical  security  and  by  building  more 
cooperative  relationships  with  the  private 
sector.  But  there’s  a  perception  that  it  has 
failed  to  seize  those  opportunities  and  to 
move  forward.  What  should  we  realistically 
expect— and  how  do  we  make  it  happen? 

The  Art  of  Persuasion: 

’’Selling  Up"  in  the  Organization 

Senior  management  and  boards  of  direc¬ 
tors  often  still  view  security  as  an  incon¬ 
venient  cost  of  doing  business.  Many  CSOs 
today  have  yet  to  report  directly  to  the  CEO 
or  stand  before  their  organizations' 
boards,  and  have  a  fair  way  to  go  before 
they're  taken  seriously  as  C-level  execu¬ 
tives.  Each  of  our  panelists  brings  a  unique 
perspective  to  helping  CSOs  perfect  the 
art  of  persuasion. 

Plus  More  Peer-to-Peer 
Networking  Opportunities 

•  CSO  Golf  Tournament 

•  Moderated  Discussion  Groups 

•  Luncheon  Discussion  Roundtables 

•  DrillDown  Breakout  Sessions 

•  Networking  Receptions 

•  Sponsor  Hospitalities 


The  Who,  What  and  Why  of  Washington 

Top  Billing 


NEWS  FROM  INSIDE  THE  BELTWAY 


Challenges  In  and  Out 

As  DHS  struggles  to  find  a  permanent  cybersecurity  chief,  its  CIO  and 
CISO  are  grappling  with  challenges  of  their  own  By  Al  Sacco 


IN  THE  TWO  YEARS  since  the  incep¬ 
tion  of  the  Department  of  Homeland 
Security,  twice  as  many  men  have  held  the 
lead  cybersecurity  position,  though  their  titles 
have  changed.  First,  there  was  Richard 
Clarke,  who  resigned  in  2003  and  went  on  to 
write  a  scathing  review  of  the  Bush  adminis¬ 
tration’s  handling  of  9/11.  Next  was  Howard 
Schmidt,  who  said  he  “finished  his  job”  by 
completing  the  National  Strategy  to  Secure 
Cyberspace.  Then  came  Amit 
Yoran,  who  resigned  after  only  a 
year,  giving  one  day’s  notice. 

Most  recently,  Donald  A.  “Andy” 

Purdy,  Yoran’s  former  deputy, 
was  named  acting  director. 

With  such  a  rapid  succession 
of  people  leading  DHS’s  outward- 
facing  cybersecurity  initiatives,  is 
it  any  wonder  that  DHS’s  internal 
cybersecurity  initiatives  are 
struggling  as  well?  A  recent 
report  issued  by  the  DHS  inspec¬ 
tor  general  suggests  just  that. 

Released  in  October,  the  “Eval¬ 
uation  of  DHS’s  Information  Security 
Program  for  Fiscal  Year  2004”  recommends 
that  “DHS  continue  to  consider  its  informa¬ 
tion  systems  security  program  a  significant 
deficiency.”  While  the  report  notes  that  DHS 
made  significant  progress  during  2004  in 
developing  and  implementing  its  information 
security  program,  CIO  Steven  Cooper  and 
CISO  Robert  West  still  have  a  long  way  to  go. 

For  example,  Cooper  is  not  on  the  depart¬ 
ment’s  senior  management  team.  There  is 
no  formal  relationship  between  Cooper  and 
component  CIOs,  nor  between  West  and 
component  information  systems  security 
managers.  DHS  lacks  an  accurate  and  com¬ 
plete  system  inventory,  which  presumably 
would  allow  the  organization  to  better 


monitor  the  support  systems  needed  in  a  time 
of  crisis.  Also,  many  fundamental  informa¬ 
tion  security  policies  and  procedures  are  in 
draft  form,  meaning  they  have  never  been 
officially  approved  by  (or  even  communicated 
to,  in  some  instances)  the  appropriate  parties. 

In  his  written  response  to  the  report, 
Cooper  indicated  that  he  “generally  con¬ 
curred”  with  the  findings.  He  noted  that  DHS 
is  working  toward  a  comprehensive  inventory 
of  the  Department’s  general 
support  systems  and  major 
applications.  There  are  also 
plans  in  place  to  improve 
communication  between 
West,  whom  he  has  charged 
with  the  information  secu¬ 
rity  plan,  and  DHS’s  compo¬ 
nents.  Cooper  also  included 
a  digital  dashboard  that 
DHS  has  implemented  for 
tracking  its  progress  in  areas 
such  as  security  training, 
NIST  compliance  and  criti¬ 
cal  infrastructure  protection 
performance.  Although  many  of  those  areas 
are  currently  set  at  the  “marginal”  (or  lowest) 
setting,  DHS  has  a  baseline  for  improvements. 

Cooper  and  his  staff  declined  to  elaborate, 
but  Schmidt  points  out  their  colossal  chal¬ 
lenges.  “A  lot  of  government  organizations 
haven’t  reached  the  level  of  security  we’d  like 
to  see,”  says  Schmidt,  now  CISO  of  eBay. 
“DHS  is  at  even  more  of  a  disadvantage  than 
most,  because  while  these  other  organizations 
are  trying  to  get  their  one  agency  up  to  par, 
DHS  is  working  with  22  of  them.”  ■ 

News  from  Washington 

To  read  more  about  what’s  happening  in  Washington,  D.C., 
visit  our  website  at  www.csoonline.com/wonk. 


As  part  of  its  effort  to  combat  identity 
theft,  the  Federal  Trade  Commission 
has  adopted  a  new  Disposal  Rule  as 
part  of  the  Fair  and  Accurate  Credit 
Transactions  Act.  Individuals  or  compa¬ 
nies  that  possess  consumer  credit 
reports  must  take  “reasonable  meas¬ 
ures  to  protect  against  unauthorized 
access  to  or  use  of  the  information  in 
connection  with  its  disposal."  In  other 
words,  get  out  the  shredders.  The  rule 
takes  effect  June  1. 

A  single  security  clearance  database 

is  in  the  works  at  the  Department  of 
Homeland  Security.  The  nationwide  net¬ 
work  will  include  clearances  for  state, 
local  and  private-sector  officials  who 
need  access  to  secure  facilities  or  clas¬ 
sified  information.  According  to  Federal 
Computer  Week,  DHS  CSO  Jack  L. 
Johnson  says  that  state  security  direc¬ 
tors  will  assign  clearances  for  public 
officials,  while  private-sector  officials 
will  gain  clearance  through  the  Informa¬ 
tion  Sharing  and  Analysis  Centers. 

The  Transportation  Security  Adminis¬ 
tration  has  proposed  an  Air  Cargo 
Strategic  Plan  that  would  create  a 
system  for  screening  the  cargo  trans¬ 
ported  in  the  nation’s  all-cargo  aircraft. 
The  plan,  published  in  the  Federal  Reg¬ 
ister,  would  require  “the  adoption  of 
security  measures  throughout  the  air 
cargo  supply  chain,  and  would  impose 
significant  barriers  to  terrorists  seeking 
to  use  the  air  cargo  transportation  sys¬ 
tem  for  malicious  purposes."  TSA 
already  screens  cargo  carried  onto  pas¬ 
senger  aircraft. 

The  National  Institute  of  Standards  and 
Technology  released  a  draft  of  its  stan¬ 
dards  for  electronically  identifying  fed¬ 
eral  employees  and  contractors.  This 
framework  will  become  the  basis  for 
federal  identification  cards  such  as 
the  Transportation  Security  Administra¬ 
tion’s  Transportation  Worker  Identifica¬ 
tion  Credential. 


PHOTO  LEFT  BY  RON  HOLZ;  TOP  BY  GETTY  IMAGES 


January  2005  www.csoonline.com  27 


Before  processing  any  claims  information,  the  agent 
should  first  verify  that  the  incident  has  been  reported 
as  a  crime  to  a  police  department. 


Identity  Protection 

Judith  Collins  is  an  associate  professor  at  the  School  of 
Criminal  Justice  at  Michigan  State  University.  She  answers 
readers’  questions  about  securing  customers’  and 
employees’  personal  information. 


Q:  I  love  the  convenience  of  online  banking  and  shopping,  and  I  want  to 
use  a  wireless  hub  at  home  and  at  the  office.  What  can  I  do  to  ensure  that 
my  banking  and  credit  information  cannot  be  accessed  by  others? 

A:  Frankly,  I  do  not  recommend  online  banking,  but  for  the  following  reasons, 

I  do  distinguish  online  banking  from  online  shopping. 

With  online  banking,  the  most  you  can  do  is  to  be  sure  to  routinely  update 
Windows  patches  and  use  a  good 
antivirus  program,  such  as  Norton;  and 
install  firewall  software  (I  like  Zone 
Alarm,  and  it’s  free  for  personal  use). 

Also,  installing  Spybot  helps  prevent 
keystroke  logging  and  installing  Ad- 
Aware  helps  prevent  spam.  Both  are  free 
at  www.download.com,  legitimate,  and 
somewhat  effective.  In  addition,  when 
on  a  bank’s  website,  look  for  an  “s”  after 
“http”  in  the  URL,  as  well  as  a  lock  sym¬ 
bol  in  the  lower  right-hand  corner  of  the 
screen,  which  indicates  the  transmission 
is  encrypted. 

Note,  however,  that  neither  Internet 
technology  nor  any  other  security  mech¬ 
anism  is  100  percent  effective. 

Online  shopping  is  a  different  matter: 

Here  you  do  not  use  your  bank  account 

or  Social  Security  number.  Further,  if  a  credit  card  number  is  stolen  and  fraudu¬ 
lently  used,  most  credit  card  companies  bear  the  burden  and  the  victim  is  usu¬ 
ally  responsible  for  $50  at  most. 

One  important  point:  Do  not  link  your  credit  card  to  your  bank  account 
(either  checking  or  savings),  such  as  for  overdraft  protection  purposes.  Do  not 
give  perpetrators  another  opportunity  to  access  bank  accounts  through  credit 
card  accounts. 


Q:  Given  how  many  threats  exist  to  security  in 
today’s  world,  what  can  organizations  do  to  keep 
their  businesses  secure? 

A:  There  are  many  practices  a  business  can  institute. 
Currently,  many  businesses  use  traditional  guidelines 
to  safeguard  information.  These  standards  were 
devised  from  the  study  of  infosecurity  management  and 
pyschology. 

Traditional  guidelines  covered  such  issues  as  how  to 
select  your  employees,  how  to  develop  an  honest  cul¬ 
ture  and  how  to  perform  risk  assessments.  However, 
these  guidelines  are  too  often  seen  as  rigid,  and  so  they 
haven’t  been  modified  to  meet  the  needs  of  infosecurity 
in  the  21st  century. 

I’ve  written  about  how  to  update  these  standards,  so 
that  organizations  can  comply  with  federal  laws  on 
safeguarding  information.  (For  more 
information,  reference  Collins’  book,  Pre¬ 
vent  Identity  Theft  in  Your  Business ). 

Q:  Where  can  I  find  more  information 
on  identity  theft? 

A:  Both  the  Michigan  State  University 
Identity  Theft  University- Business  Part¬ 
nerships  in  Prevention  and  the  ID  Theft 
Crime  and  Research  Lab,  established  in 
1999,  perform  victim  advocacy  and  train 
law  enforcement  (federal  and  state)  on 
first  responses  to  identity  theft  and  on 
how  to  investigate  crimes  of  identity  theft. 
They  also  conduct  ID  theft  investigations 
for  victims,  consult  with  businesses  to 
secure  personal  information,  conduct 
research  on  identity  theft  and  identity 
crimes,  and,  at  the  MSU  School  of  Crimi¬ 
nal  Justice,  offer  graduate  classes  for  the  Information 
Security  Management  and  CyberCrime  Investigation 
Certification. 

Other  sources  provide  specific  information.  For 
example,  the  Federal  Trade  Commission  collects  data 
from  victims  and  reports  annually  on  incidents  of  iden¬ 
tity  theft.  Another  resource  for  victims  is  the  Privacy 
Rights  Clearinghouse  at  www.privacyrights.org. 


Q:  In  a  call  center  environment,  a  large  amount  of  customer  information  is 
available  to  the  agents.  What  kinds  of  information  should  those  reporting 
identity  theft  provide? 

A:  Persons  calling  in  to  the  center  to  report  identity  theft  should  provide  the 
call  center  agent  with  two  things:  the  police  report  number  and  the  name  of  the 
police  officer  who  took  the  victim’s  complaint. 


Ask  Your  Peers 

Have  a  security  topic  to  suggest  or  an  expert  you'd  like  to  hear  from?  Send 
your  thoughts  to  Departments  Editor  Kathleen  S.  Carr  at  kcarr@cxo.com.  See 
what  your  peers  are  discussing  at  www.csoonline.com/counsel. 


28  www.csoonline.com  January  2005 


PHOTO  BY  KEVIN  FOWLER 


2005  GLOBAL  EVENTS 


r  north  'T 
;  america  ' 

cacs 

North  America  CACS 
Las  Vegas,  Nevada,  USA 
24-28  April  2005 


At  North  America  CACS,  more  than  700  industry  experts  from  around  the 
world  will  gather  to  discuss  challenges  facing  today’s  IT  and  information 
security  communities.  Designed  for  newcomers  and  veterans  alike,  this 
four-day  conference  focuses  on  IT  audit  core  competencies,  IT  audit 
practices,  compliance  issues,  control  and  IT  governance  issues  and 
practices,  information  security  practices  and  management  issues, 
and  IT  risk  management.  Be  sure  to  register  for  a  Certified  Information 
Systems  Auditor™  (CISA  )  or  Certified  Information  Security  Manager"  (CISM') 
two-day  review  workshop  held  in  conjunction  with  the  conference. 

Receive  up  to  44  continuing  professional  education  (CPE)  credits  by 
attending  North  America  CACS  (23  by  attending  the  conference  and 
21  by  attending  the  workshops). 


ISACA*  . 
TRAlMNGi 


ISACA  Training  Weeks 


.•v  •  •  v.  V  *v v  -t 

,  .  .  •  •  v 

\:rr  ■  •  v  I"  »’ '  •'  *  :.*?.•  ‘  y ■>*..*> 


Whether  you  are  an  IS  audit,  control,  security  or  accounting  professional, 
these  pragmatic  five-day  programs  will  provide  you  with  the  confidence  and 
assurance  you  need  to  maintain  your  competitive  advantage.  Each  training 
week  offers  three  session  choices:  Fundamentals  of  IT  Auditing,  IT  Audit 
Practices  and  Information  Security  Management.  Each  day  is  filled  with 
practical  sessions  that  will  give  you  clarity,  new  ideas  and  one-of-a-kind 
networking  opportunities. 

ISACA  Training  Week  participants  are  eligible  to  receive  up  to  38  total 
continuing  professional  education  (CPE)  credits. 

For  more  information  or  to  register  online,  visit 
www.  isaca.  org/trainingweek. 

28  February-4  March  2005-New  Orleans,  Louisiana,  USA 


Register  online  today  at  www.isaca.org/nacacs 


7-11  March  2005-Frankfurt,  Germany 


INFORMATION 

SECURITY 

MANAGEMENT 

CONFERENCE 


Information  Security  Management  Conference 
19-21  September  2005 
Las  Vegas,  Nevada,  USA 


6-10  June  2005-Baltimore,  Maryland,  USA 

12-16  September  2005-Vancouver,  British  Columbia,  Canada 


6-11  November  2005-Chicago,  Illinois,  USA 


5-9  December  2005-Phoenix,  Arizona,  USA 


Designed  for  experienced  information  security  managers  and  those  who 
have  information  security  management  responsibilities,  this  event  will 
feature  a  series  of  information  security  managerial  sessions  as  well  as 
others  focusing  on  information  security  program  issues.  This  combination  of 
high-level  and  detailed  sessions  will  allow  attendees  to  customize  their 
conference  learning  experiences  according  to  their  specific  interests 
and  professional  needs.  CISMs  and  those  aspiring  to  become  CISMs  will 
find  great  value  in  this  conference. 

Information  Security  Management  Conference  attendees  are  eligible  to 
receive  up  to  18  continuing  professional  education  (CPE)  credits.  Those 
who  attend  an  optional  workshop  are  eligible  to  receive  an  additional  seven 
credits.  More  information  can  be  found  at  www.isaca.org/infosecurity. 


The  Las  Vegas  Network  Security  Conference  will  be  held  in  conjunction  with 
the  Information  Security  Management  Conference.  Visit  www.isaca.org/nsc 
for  details. 


Information  Systems 
Audit  and  Control 
Association ® 

3701  Algonquin  Road,  Suite  1010 
Rolling  Meadows,  Illinois  60008  USA 
Telephone:  +1.847.253.1545 
Fax:  +1.847.253.1443 
E-mail:  conference@isaca.org 
Web  site:  www.isaca.org 


-/Hi  ^  f>r  A** 


Alexey  Ivanov’s  job  interview  didn’t  go  as  well  as  he’d  hoped. 


looking  for:  a  few  good  hackers  who  could  break  into  the  net- 


Ivanov,  then  a  20-year-old  computer  programmer  from 
Chelyabinsk,  Russia,  had  flown  to  Seattle  in  November  2000  to 


works  of  potential  customers  as  part  of  an  effort  to  persuade 
those  companies  to  hire  Invita  to  keep  hackers  out.  Ivanov  was 


apply  for  a  job  with  a  company  called  Invita  Security.  To  the  familiar  with  the  tactic. 


young  Russian,  Invita  promised  the  dream  job.  The  company 


As  Ivanov,  Gorshkov  and  two  American  business  types  sat  at 


was  clearly  entrepreneurial— entrepreneurial  enough  to  seek  a  table  in  a  Seattle  office,  Gorshkov  regaled  the  interviewers 

out  the  services  of  this  skilled  hacker  who  worked  in  an  aban-  with  tales  of  his  hacking  exploits,  and  Ivanov  allowed  himself  to 


doned  factory  halfway  around  the  world.  They  even 


.  ,  .  ,  .  .  n  i  .  .  ,  ,  .  .  IN  THIS  STORY:  Because 

promised  to  pay  his  airfare  and  to  pick  him  up  at 

1  r  J  there  are  sure  to  be  more 

the  Seattle  airport.  At  Ivanov’s  suggestion,  the  com-  like  him  back  home,  we 

look  at  the  life  and  crimes 

pany  encouraged  him  to  bring  along  a  fellow  pro-  of  a  Russian  hacker,  and 

at  questions  raised  by  his 

grammer,  Vasiliy  Gorshkov.  When  the  two  Russians  case  relating  to  interna¬ 
tional  search  and  seizure. 

arrived,  their  Invita  hosts  explained  what  they  were 


ILLUSTRATIONS  BY  MICHAEL  MORGENSTERN 


dream  of  a  better  life.  He  was  exhausted:  The  trip 

■  .  ,  •  •  ‘  •  • 

from  Chelyabinsk  had  taken  nearly  48  hours,  and  he 

■ 

had  not  waited  to  arrive  to  start  celebrating  his  good 
fortune.  The  interviewers  asked  their  guests  to 
demonstrate  some  of  their  skills,  and  the  two  Rus¬ 
sians  took  turns  logging  in  to  their  own  network 


•  •  \ 


Cybercrime 


back  in  Chelyabinsk.  Ivanov  knew  that  he  and 
Gorshkov  were  good,  so  when  his  hosts 
appeared  to  be  impressed,  Ivanov  was  not  sur¬ 
prised. 

The  big  surprise  would  come  later,  when 
the  two  Russians  were  being  driven  to  their 
lodgings.  The  car  stopped  suddenly;  the  doors 
flew  open,  and  Ivanov  heard  someone  say: 
“FBI.  Get  out  of  the  car  with  your  hands 
behind  your  back.” 

It  was  then  that  he  remembered  something 
he  had  heard  about  America:  It  was  the  kind 
of  place  where  anything  could  happen. 

Ivanov  and  Gorshkov  were  charged  with 
conspiracy,  computer  fraud,  hacking  and 
extortion.  Gorshkov  was  jailed  in  Seattle, 
where  his  incriminating  boasting  took  place. 
Ivanov  was  flown  east,  to  Connecticut,  to  be 
tried  in  the  home  state  of  the  Online  Infor¬ 
mation  Bureau— one  of  several  companies 
whose  servers  he  had  breached. 

The  federal  agents  who  arrested  the  Rus¬ 
sians  brandished  a  short  catalog  of  cybercrime 
allegations.  They  claimed  that  the  Russians 
had  tried  to  extort  money  from  scores  of  U.S. 
companies,  including  Central  National  Bank 
of  Waco,  Texas;  Nara  Bank  N.A.  of  Los  Ange¬ 
les;  and  a  Seattle-based  ISP  called  Speakeasy. 
As  it  turned  out,  most  of  the  allegations  were 
right  on  the  money.  Ivanov  and  Gorshkov  had, 
among  other  things,  tapped  a  database  of  an 
estimated  50,000  credit  cards,  and  they  were 
making  good  use  of  some  of  them.  Gorshkov 
would  be  found  guilty  of  all  four  crimes,  sen¬ 
tenced  to  three  years  in  jail  and  ordered  to 
pay  $692,000  in  restitution.  He  has  since 
returned  to  Russia.  Ivanov  would  eventually 
admit  to  hacking  into  16  companies.  He 
served  three  years  and  eight  months  in  jail 
and  owes  more  than  $800,000  in  restitution. 

rj^ 

m  he  drama  of  the  Seattle  sting  is  the  stuff 
K  of  suspense  novels,  but  the  courtroom 
Jy  machinations  will  more  likely  appear  in 
law  school  lectures  on  international 
search  and  seizure.  Today,  with  the  smoke 
cleared,  the  most  significant  gain  from  the 
Ivanov  case  may  be  the  legal  milestones 
marked  wiien  courts  upheld  the  right  of  fed¬ 
eral  agents  to  seize  evidence  remotely,  and  to 
charge  foreign  cybercriminals  in  U.S.  courts. 
But  despite  those  rulings,  the  case  also  leaves 


A  Russian  Hacker’s 
Guide  to  Protection 
from  Russian  Hackers 
Alexey  Ivanov’s  advice 
orCISOs) 

Do  not  store  information 
on  your  network  that 
doesn’t  have  to  be  there. 

There  is  usually  no  good 
reason  for  companies  to  store 
the  credit  card  numbers  of 
customers.  Do  not  store  hash 
from  credit  card  transactions. 
Access  to  hash  makes  it  much 
easier  for  hackers  to  get  credit 
card  numbers. 

Don’t  think  that  custom 
software  will  not  be 
hacked.  While  it  may  be 
true  that  fewer  hackers  will 
challenge  the  system,  it  only 
takes  one  to  beat  it. 

Pay  attention  to  your 
entire  business 
infrastructure— IT  and 
otherwise.  Hacking  is  just  one 
way  for  outsiders  to  get  inside 
information. 

Make  someone 
responsible  for  installing 
all  security  updates. 

Every  company  says  they  do 
this,  but  many  do  not. 

If  you  choose  to 
communicate  with 
hackers,  do  not  make 
promises  you  can’t  keep. 

Serious  damage  can  result. 


important  cyberlaw  questions  unanswered— 
particularly  in  the  area  of  uniform  interna¬ 
tional  rules  for  Internet  search  and  seizure. 

The  United  States  of  America  v.  Alexey  V. 
Ivanov  was  touted  as  a  major  success  story  in 
the  battle  to  protect  American  corporations 
from  the  menace  of  foreign  hackers.  For  their 
work  on  the  case,  FBI  agents  Marty  Prewett 
and  Michael  Schuler  were  awarded  the  Direc¬ 
tor’s  Annual  Award  for  Outstanding  Criminal 
Investigations.  Still,  most  computer  security 
experts  understand  that  busting  two  reckless 
Russian  hackers  won’t  dent  the  many  billions 
of  dollars  lost  to  cyberbandits  operating  over¬ 
seas  each  year.  Technology  analyst  firm  I  DC  (a 
sister  company  of  CSO's  publisher)  estimates 
that  65  percent  of  cyberattacks  originate  over¬ 
seas;  IDC  also  estimates  that  in  2003  U.S. 
corporations  spent  more  than  $25  billion  to 
keep  hackers  out  of  their  databases. 

For  Alexey  Ivanov,  the  story  of  his  hack¬ 
ing,  his  crimes,  his  arrest  and  his  release  from 
prison  ends  in  a  place  that  he  finds  perfectly 
satisfactory.  His  goal,  he  says,  had  long  been 
to  come  to  the  United  States.  And  now  he  is 
here,  living  and  working  in  New  England. 
Ivanov  says  he  started  his  U.S.  job  search  in 
April  1999-  He  did  it  the  way  any  sensible 
hacker  living  on  the  other  side  of  the  world 
would  do  it.  “I  went  to  Dice.com  and  down¬ 
loaded  a  database  from  a  job-seeking  server,” 
he  says.  “It  was  easy.  I  wrote  some  scripts, 
and  in  a  few  hours  I  was  sending  my  resume 
to  5,000  jobs.” 

Several  prospective  employers  responded  to 
his  inquiries,  he  says,  but  none  was  willing  to 
sponsor  an  unknown  job  candidate  from  Rus¬ 
sia.  “After  that  I  decided  to  go  a  little  bit  the 
other  way,”  he  says.  “I  thought,  Why  don’t  I 
convince  people  about  my  skills,  and  in  order 
for  me  to  convince  them,  I  have  to  demon¬ 
strate  them.  This  is  how  I  came  up  with  the 
idea  of  hacking  into  companies.” 

Ivanov  had  good  reason  to  think  that  such 
a  tactic  would  pay  off  Two  years  earlier,  in 
December  of  1997,  he  and  a  friend  had  hacked 
into  the  servers  of  a  local  Internet  service 
provider  and  downloaded  a  database  of  user 
names  and  passwords.  “When  I  notified  the 
company,”  says  Ivanov,  “they  offered  me  a 
job.” 

But  that  job,  he  says,  paid  poorly— only 
about  $75  a  month— and  he  eventually  joined 


32  www.csoonline.com  January  2005 


a  group  of  hackers  who  shared  an  appreciation 
for  more  entrepreneurial  challenges.  There, 
at  a  company  called  tech.net.ru,  Ivanov 
learned  the  practice  of  “carding”— buying 
goods  online  with  stolen  credit  cards. 

At  first,  he  says,  it  was  books  and  CDs, 
ordered  online  from  Amazon.com  or  Barnes- 
andnoble.com.  To  avoid  suspicion,  the  group 
would  have  the  goods  mailed  to  cities  in 
neighboring  Kazakhstan,  where  they  would 
hire  young  women  to  receive  the  packages. 
Ivanov  and  others  would  travel  to  the  distant 
cities,  pick  up  the  goods,  and  take  them  to 
Chelyabinsk.  There,  much  of  the  merchan¬ 
dise  found  its  way  to  legitimate  shops, 
where  the  CDs  were  prized.  The  qual¬ 
ity  of  the  recordings  was  far  superior 
to  the  shops’  other  CDs,  which  had 
been  pirated  in  Bulgaria. 

“At  first,  all  of  the  activities  at 
tech.net.ru  were  illegal,”  he  says. 

“Then  we  came  up  with  the  idea  that 
we  would  look  less  suspicious  if  we 
established  some  legal  business,  so 
we  started  designing  webpages.” 

They  also  started  hacking  into  any 
sites  that  looked  vulnerable.  For  the 
Russians,  each  hack  presented  a  new 
challenge  and,  in  most  cases,  a  new 
victory.  Some  of  those  victories  paid 
off  in  cash,  and  all  of  them  offered  the 
satisfaction  of  winning.  They  were  beat¬ 
ing  a  system,  and  they  were  outsmarting 
the  smartest  security  guys  in  the  country  that 
considered  itself  technologically  superior  to 
all  others.  For  a  hacker,  there  was  nothing- 
better. 

PayPal  provided  the  Russians  with  one  of 
their  more  satisfying  conquests,  if  not  one  of  the 
more  lucrative.  Ivanov  claims  to  have  master¬ 
minded  the  PayPal  scam.  The  first  step,  he  says, 
involved  placing  scripts  on  eBay  that  collected 
the  e-mail  addresses  of  PayPal  customers. 
Then,  using  the  domain  name  “PayPal,”  with 
an  uppercase  “I”  instead  of  a  lowercase  “L,” 
Ivanov  set  up  a  mirror  site  that  was  a  replica 
of  PayPal.  Ivanov  and  his  cohorts  then  sent  e- 
mails  to  PayPal  customers,  offering  them  a 
gift  of  $50,  for  which  they  had  only  to  enter 
their  passwords  on  the  bogus  site.  The  scam¬ 
mers  simply  sat  back  and  collected  the  pass¬ 
word  harvest. 

“We  weren’t  really  malicious,”  he  says.  “We 


could  have  sent  it  to  thousands  of  people,  but 
we  only  sent  it  to  150.  We  got  about  120  pass¬ 
words.  We  did  that  mainly  for  fun.” 

Despite  its  limited  application,  the  PayPal 
scam  provided  proof  of  concept  and  embold¬ 
ened  Ivanov  and  his  group  to  set  their  sights 
on  a  higher  prize. 

After  shopping  on  eBay  for  more  than  a 
year,  the  hackers  were  convinced  that  the  sell¬ 
ers  of  more  expensive  items  would  not  deal 
with  unknown  buyers  living  on  the  other  side 
of  the  world.  And  they  wanted  to  buy  more 


expensive  items.  “We  were  buying  things  for  a 
shallow  five  hundred  bucks,”  says  Ivanov.  “We 
wanted  to  get  up  to  like  five  thousand  bucks.” 

It  so  happened  that  eBay  had  a  function 
that  would  help  them  do  that.  The  site’s  “rate 
the  buyer”  feature  could  reassure  sellers  that 
the  Russians  were  trustworthy.  All  they  had  to 
do  was  get  inside  and  manipulate  the  num¬ 
bers.  (Hani  Durzy,  an  eBay  spokesman,  says 
that  while  it  may  now  be  possible  for  hackers 
to  manipulate  such  interactive  features,  that 
won’t  be  the  case  for  long.  Durzy  says  the  com¬ 
pany  is  developing  technology  that  will  iden¬ 
tify  the  kind  of  malicious  code  used  in  such 
hacks.) 

For  Ivanov  and  his  fellow  hackers,  the  sum¬ 
mer  and  fall  of  2000  was  a  time  of  plenty.  A 
promising  revenue  stream  had  begun  to  flow 


from  their  freelance  security  services.  The 
business  model  was  simple  and  hardly  unique. 
Ivanov  and  his  cohorts  would  hack  into  sup¬ 
posedly  secure  networks  in  the  United  States, 
inform  the  network  administrators  of  the 
hack,  and  offer  to  fix  the  networks’  vulnera¬ 
bilities  for  a  price.  Ivanov  says  he  persuaded 
three  companies  that  he  could  help  them 
patch  vulnerabilities  in  their  networks.  He 
did  this,  he  says,  and  they  paid  him  cash,  from 
$80  to  $4,000.  One  of  those  companies,  the 
Seattle-based  CTS,  also  gave  Ivanov  storage 
space  on  its  servers.  Ivanov  says  a  fourth  com¬ 
pany  promised  to  pay  but  did  not.  That 
company,  he  says,  later  suffered  from 
the  destruction  of  data. 

Ivanov  was  also  working  on  a 
way  to  transfer  money  from  one 
bank  to  another  and  had  recently 
cracked  the  security  of  an  online 
casino.  The  hackers  were  work¬ 
ing  hard,  up  to  16  hours  a  day, 
he  says.  But  it  was  paying  off  In 
a  six-month  period,  says  Ivanov, 
they  scammed  $150,000.  It  was 
a  very  exciting  time,  he  says. 
The  Internet  had  delivered  to 
him,  in  a  polluted  factory  city  in 
the  Ural  Mountains,  the  promise 
of  both  untold  riches  and  untold 
challenges.  Ivanov  wasn’t  sure  which 
he  liked  best. 

At  the  same  time,  he  was  WTestling  with 
a  major  personal  decision.  In  June  of 2000,  he 
had  received  an  e-mail  from  a  company  in 
Seattle.  The  company  had  challenged  him  to 
hack  into  its  site.  When  Ivanov  did  that,  the 
strangers  asked  if  he  would  consider  relocat¬ 
ing  to  Seattle.  The  company  said  it  w'as  in  the 
market  for  “security  talent,”  a  deliberately 
vague  phrase  that  could  easily  be  read  to  mean 
“hacker.”  Ivanov  appeared  to  have  the  kind  of 
talent  they  were  after. 

He  knew  that  in  the  long  run,  the  Seattle 
job  could  be  even  more  rewarding  than  his 
eBay  “rate  the  buyer”  scam.  So  in  November, 
with  the  eBay  function  not  quite  ready  to  go, 
he  said  good-bye  to  his  family  and  boarded  a 
plane  for  Seattle.  Once  he  was  in  his  seat,  he 
says,  he  started  ordering  drinks.  He  was 
pleased  to  be  bound  for  a  new'  life  in  a  new 
country'  with  a  new' job  for  a  company  with  the 
curious  name  of  Invita  Security'. 


January  2005  www.csoonline.com  33 


The  CIO’s  Knowledge  Marketplace 


You  need  information  and  you  need  it  now. 

Don’t  waste  your  valuable  time  searching  high  and  low.  When  you  need  to  get 
your  to-do  I  ist  done,  come  to  the  one  site  that  has  it  al  I .  From  strategies 
and  roles  to  technologies  and  tools,  the  CIO  Store 
offers  the  best  collection  of  research,  reports  and 
expert  advice  anywhere.  You  can  depend  on  the 
full  range  of  resources  offered  at  the  CIO  Store. 

The  Resource  for 

The  CIO  Store-when  you  need  to  get  smart,  fast.  Information  Executives 


cio 

SV>*e 

CO^ 


Cybercrime 


ities;  the  other  was  a  search  warrant,  which 
was  not  acquired  until  three  weeks  after  the 
download.  Whether  the  Justice  Department 
attempted  to  coordinate  the  investigation 
with  Russian  authorities  remains  a  subject 
of  dispute.  Federal  agents  have  testified  that 
they  attempted  to  work  with  Russian  author¬ 
ities,  but  that  their  communications  went 
unanswered.  The  Russians  say  there  was  no 
such  effort  and  claim  the  download  violated 
a  1997  agreement  among  G-8  nations  that 
mandates  “investigation  and  prosecution  of 
international  high-tech  crimes  must  be  co¬ 
ordinated  among  all  concerned  states,  regard¬ 
less  of  where  harm  has  occurred.”  Russian 
authorities  have  reportedly  issued  arrest  war¬ 
rants  for  the  agents  involved. 

Once  it  entered  the  federal  court  system, 
the  case  against  Vasiliy  Gorshkov  moved 
quickly  to  conclusion.  Gorshkov  was  tried  in 
Washington  state,  where  U.S.  District  Judge 
John  C.  Coughenour  was  unreceptive  to  argu¬ 
ments  that  the  FBI  overstepped  its  search  and 
seizure  authority.  In  Coughenour’s  opinion, 
the  data  on  computer  drives  in  Chelyabinsk 
was  not  protected  by  the  Fourth  Amendment. 
The  decision  meant  that  federal  agents  had 
the  right  to  break  into  computers  in  other 
national  jurisdictions,  as  long  as  it  was  for 
purposes  of  law  enforcement.  It  also  meant 
that  Gorshkov  had  little  hope  of  beating  the 
rap.  And  he  didn’t. 

Ivanov’s  legal  journey  would  follow  a  dif¬ 
ferent  path.  Because  one  of  the  companies  he 
offered  to  “help”  was  based  in  Connecticut, 
his  case  was  moved  to  Hartford.  A  veteran 
defense  attorney  named  C.  Thomas  Furniss 
was  appointed  to  represent  Ivanov.  Furniss 
brought  on  board  a  young  lawyer  and 
former  technology  worker  named  Mor¬ 
gan  Rueckert.  Rueckert  was  intrigued 
by  the  case,  which  he  suspected 
would  test  some  of  the  nascent  lim¬ 
its  of  cyberlaw. 

“This  was  the  first  case  in  which 
the  government  used  methods  like 
these,”  explains  Rueckert.  “They  set 
up  a  fake  company  and  then  solicited 
a  job  application.  They  used  that 
method  to  bypass  what  you  could  call 
a  deficiency  in  extradition  agreements.” 
Rueckert  believes  that  the  warrantless 
search  of  Ivanov’s  computer  in  Russia  was 


hen  FBI  agents,  posing  as 
Invita  employees,  watched 
Ivanov  and  Gorshkov  demon¬ 
strate  their  skills,  they  were  learn¬ 
ing  more  than  the  two  Russians  knew.  The 
agents  had  placed  a  “sniffer”  on  the  computer 
keyboard,  and  as  the  Russians  typed  the  user 
names  and  passwords  needed  to  get  into  the 
network  of  tech.net.ru,  the  device  recorded 
the  keystrokes.  With  that  knowledge,  the  FBI 
was  able  to  download  some  2,700MB  of  data 
to  be  used  as  evidence. 

The  agents  had  a  very  good  idea  of  what 
they  were  looking  for.  The  FBI  had  been  con¬ 
tacted  by  several  companies  that  believed  they 
had  been  targeted  by  something  called  the 
Expert  Group  of  Protection  Against  Hackers. 
The  organization,  made  up  of  dozens  of  hack¬ 
ers  in  several  Russian  cities,  operated  the  same 
way  Ivanov  did,  exploiting  a  vulnerability  in 
Microsoft  NT  server  software  to  break  into  the 
networks  of  U.S.  corporations.  At  first,  the  feds 
believed  that  Ivanov  and  Gorshkov  were  part 
of  the  group,  and  that  they  might  be  working 
with  the  Russian  mob;  the  government  has 
since  backed  off  those  allegations. 

The  FBI’s  download,  the  cornerstone  of 
the  government’s  case  against  the  hackers, 
did  not  go  unchallenged  into  the  federal 
courts,  or,  for  that  matter,  into  the  annals  of 
U.S. -Russian  relations.  When  the  FBI  broke 
into  the  Russian  computers,  they  did  so  with¬ 
out  two  important  sanctions:  One  was  the 
permission  or  cooperation  of  Russian  author- 


become  (cjertifiecC 


SECURITY  OFFICERS 

are  earning  recognition  as 

credentialed  professionals 
in  Homeland  Security. 

The  American  Board  for 
Certification  in  Homeland  Security  is 
the  nation's  leading  Homeland 
Security  professional  membership 
association.  It  is  an  acknowledged 
leader  in  the  certification,  training, 
and  continuing  education  of 
Homeland  Security  professionals. 

Qualified  security  professionals  may 
become  Certified  in  Homeland 
Security  (CHS)  at  one  of  three  levels 
(CHS  I,  II,  and  III)  based  on  a  rigor¬ 
ous  evaluation  of  their  Homeland 
Security-related  experience,  train¬ 
ing,  knowledge,  skill,  and  education. 
Two  additional  pinnacle  levels  of  cer¬ 
tification  (CHS  IV  and  V)  are  avail¬ 
able  based  on  the  successful  com¬ 
pletion  of  stringent  coursework  and 
examinations  developed  by  some  of 
the  nation’s  leading  Homeland 
Security  experts.  Levels  IV  and  V  will 
be  offered  at  our  next  annual  confer¬ 
ence  in  San  Diego,  CA,  September 
28-29,  2005.  (A  proctored  exam 
may  also  be  arrangedjn  your  area  at 
any  time.) 


January  2005  www.csoonline.com  35 


mm 


a  Winner 


cso  is  again  the  proud  recipient  of  honors  at  the 
prestigious  2004  Jesse  H.  Neal  Awards.  CSO  was 
honored  with  four  awards  including  Best  Single  Article 
and  Best  Single  Issue.  CSO  was  also  honored  as  second 
runner-up  to  sister  publication  CIO  magazine  for  the 
Grand  Neal  Award— the  top  editorial  honor  granted  to 
one  publication  from  almost  1,300  entries  across  all 
categories  and  circulation  sizes. 


The  Neal  Award  judges  aren't  the  only  ones  who  value 
CSO  magazine.  CSOs  choose  CSO  magazine  as  the 
publication  most  relied  on  for  security-related  strategies 
and  best  practices  * 


Often  hailed  for  its  preeminence  as  the 
“Pulitzer  Prize  of  the  business  press,"  the 
Neal  Award  is  the  business  publishing  indus¬ 
try’s  annual  salute  to  individual  editors  for 
outstanding  editorial  excellence. 


The  Resource  for 
Security  Executives 


*  SOURCE:  CSO  READER  PROFILE  STUDY.  RESEARCH  RESULTS 
OCTOBER  2003. 


T  T  '-.r  G.V  , 

'•  V- . 

u 

TV,'- 

■  "  !  ■  •-  ■  ■ 

,vV.  . }  ’/*  ■  T 

•  y  .  •  • 

■  ,  '  •  ./  /]  •  • 

[  .<  '  v  * ... .  .. 

jv  mmll 

. 

Cybercrime 


“You  can  have  a  kid,  basically,  sitting  in  his 
basement  halfway  around  tne  world,  and  with 
the  click  of  a  mouse,  he  can  cause  incredible 

concern,  fear  and  economic  damage  all  across 

the  country.”  -MORGAN  RUECKERT,  AN  ATTORNEY  FOR  ALEXEY  IVANOV 


also  a  first.  In  defending  that  search,  prose¬ 
cutors  claimed  that  if  they  had  not  acted 
swiftly— more  swiftly  than  the  time  it  would 
take  to  get  a  warrant— the  incriminating  data 
would  have  been  destroyed.  While  that  may  be 
true,  says  Rueckert,  the  government  also  failed 
to  get  a  warrant  when  it  asked  CTS  to  hand 
over  the  data  that  Ivanov  had  stored  on  its 
servers. 

“In  that  instance,”  says  Rueckert,  “the  gov¬ 
ernment  may  have  violated  the  Electronic 
Communications  Privacy  Act.” 

While  Rueckert  examined  the  privacy 
issues,  defense  lawyer  Fumiss  fixed  on  a  larger 
target.  His  first  motion  was  to  dismiss  on  the 
grounds  that  the  government  lacked  jurisdic¬ 
tion.  The  question  is,  says  Furniss,  “Does  Con¬ 
gress  intend  the  criminal  statute. ..to  be 
applied  extraterritorially?  It’s  an  interesting 
question  and  some  of  the  law  in  this  area  goes 
back  to  the  1700s,  when  pirates  were  attack¬ 
ing  U.S.  ships.  In  fact,  as  I  read  them,  the 
Computer  Crime  statutes  before  1996  really 
could  not  be  said  to  reflect  that  intent,  but 
there  have  been  some  amendments.” 

Curtis  Karnow,  a  partner  at  the  law  firm  of 
Sonnenschein  Nath  &  Rosenthal  and  an 
expert  on  extraterritorial  jurisdiction,  says 
Furniss’s  motion  was  a  good  one,  a  sensible 
tactic  that  is  often  tried  but  never  works.  As  it 
turned  out,  it  didn’t  work  with  U.S.  District 
Judge  Alvin  Thompson  either.  And  it  didn’t 
much  matter,  once  the  prosecution  pointed 
out  that  Ivanov  had,  for  some  of  his  exploits, 
used  at  least  one  proxy  server  located  in  the 
United  States.  It  was  all  Judge  Thompson 
needed  to  hear.  For  this  case  at  least,  the 
defendant  had  effectively  perpetrated  criminal 
acts  within  the  United  States.  That  ruling, 
along  with  several  other  issues  (such  as  the 
prospect  of  four  more  trials  in  other  jurisdic¬ 
tions),  persuaded  Ivanov  and  his  legal  team 
that  a  guilty  plea  would  be  the  best  way  out. 

Rueckert  agrees  that  a  plea  was  a  good 


choice  for  his  client,  even  if  it  did  leave  unre¬ 
solved  some  important  issues  of  privacy, 
cyberlaw  and  the  modus  operandi  of  law 
enforcement.  “Number  one,”  he  says,  “is  about 
the  way  the  government  got  data  from  CTS. 
The  issue  there  is  the  individual’s  expectation 
of  privacy  concerning  data  that  is  stored 
remotely.  What  process  should  the  govern¬ 
ment  have  to  obtain  access  to  this  kind  of 
data?  Secondly,  should  the  government  be 
required  to  obtain  a  search  warrant,  and 
should  the  defendant  be  given  legal  protec¬ 
tions?  What  kind  of  notice  should  the  gov¬ 
ernment  give?  There  is  also  the  issue  of  the 
method  the  government  used  to  [ensnare 
Ivanov],  I  think  that  the  method  they  used 
offended  a  lot  of  people  outside  the  United 
States.  All  of  these  issues  are  important.” 

As  significant  as  those  legal  issues  are, 
Rueckert  admits  that  for  him,  the  most  capti¬ 
vating  aspects  of  cybercrime  are  psychological. 
“The  thing  that  fascinated  me  here,”  he  says, 
“was  that  in  Internet  crimes  you  can  have  a 
kid,  basically,  sitting  in  his  basement  halfway 
around  the  world,  and  with  the  click  of  a 
mouse,  he  can  cause  incredible  concern,  fear 
and  economic  damage  all  across  the  countiy. 
And  the  person  who  is  doing  it  doesn’t  really 
see  the  results.  It  can  be  very  easy  for  someone 
like  that  to  view  what  they’re  doing  as  a  game.” 

Alexey  Ivanov  doesn’t  disagree.  Hacking 
was  a  challenge,  and  challenges  are  always 
fun.  It  was  also,  in  a  strange  and  roundabout 
way,  a  means  to  what  Ivanov  says  is  a  happy 
ending.  ■ 

Art  Jahnke  is  Web  editorial  director  for  CSOonline.com.  You 
can  reach  him  at  ajahnke@cxo.com. 


A  History  of  Global  Hacking 


Hackers  who  forget  history  are  doomed  to  repeat  it,  right? 
To  read  a  time  line  of  major  hacking  incidents  dating 
back  to  1971,  go  to  www.csoonline.com/printlinks. 


January  2005  www.csoonline.com 


Certified! 
©  Professional 

Board  Certified  in  Security  Management 


THIS  CERTIFICATION 
SAYS  IT  ALL. 

When  you're  "board  certified  in 
security  management," you’re 
accorded  the  highest  recognition 
in  the  world  as  a  security 
professional. These  three  letters — 
CPP — tell  people  that  you  have 
demonstrated  competency, 
professional  expertise,  validated 
knowledge,  and  proven  skills, 
which  translate  into  a  real 
competitive  advantage  in  the 
increasingly  complex  and 
demanding  business  of  security. 

HERE’S  WHAT  MAKES  THE  CPP 
THE  BEST  IN  THE  INDUSTRY 

•  Board  certification:  the  highest  recognition  in 
the  world  accorded  to  security  management 
professionals. 

•  Certified  Protection  Professional  (CPP)  is  an 
established  program,  consistently  updated  to 
make  sure  it  is  current. 

•  The  average  CPP  employee  earns  22%  more 
than  his  non-certified  security  management 
counterpart. 


-vys;, 


Call  703-519-6200  today 
for  an  application,  or  visit 
www.asisonlme.org 

-  '  •  A'  A?/.  .•  ;  ' 

An-  a-' 


SP 


l§f% 
>,  $ 


mm 


mm 


.  ';•:>>  . :J3  -  ’  ...V  v ;  ■-  ■ . 

■ 

gWCr-CC  m  '■m.m.'.'.Bi 

'  -  I 

B 

I 

:-'Y- 

:m^  mzm 


^P&4'V:^v’t'  £ 

Mmm 


£$fl  *$&&&$&  't* Mfe  •  fn'-  ■  ■  ■ f  i: 

smS 

£j  -: v: *$?•'(!?:■  i. «»V  '4 vfT- ,*%i  Vi  >5© -fv  *i&?5? > -V  4  •  ?*,'  • ' '  ■  t^yj, 

Mia 


The  reasons  to  invest  in  new  video 
surveillance  systems  are  everywhere. 
Zoom  in  on  these  six  insights  to  help 
you  focus  on  what’s  important  and 


what’s  just  hype. 


By  Scott  Berinato 


IN  THIS  STORY:  Why  video 
surveillance  is  proliferating 
■  Questions  concerning  video 
technology  options  ■  Poten¬ 
tial  costs  and  benefits  of  new 
surveillance  tools 


SHENG  GUO,  CTO 
FOR  THE  NEW  YORK 
STATE  UNIFIED  COURT 
SYSTEM,  SEES  COST¬ 
SAVING  BENEFITS  IN  NEW 
VIDEO  SURVEILLANCE 
SYSTEMS. 


PHOTO  BY  ANDREW  KIST 


January  2005  www.csoonline.com  39 


1 


What  are  you  looking;  at?  Seriously.  What 

are  you  looking  at  with  all  those  surveillance  cameras? 

A  parking  lot?  A  customer?  A  elose-up  of  what’s  stuffed 
in  the  customer’s  jacket?  A  warren  of  cubicles?  Rows  of 
blackjack  tables?  That  guy  loitering  across  the  street? 
That  employee  punching  his  buddy’s  time  card?  Fifteen 
thousand  intermodal  shipping  containers?  One  priceless 
painting?  The  lobby?  The  service  entrance?  Hollywood 
Boulevard?  Widgets  on  an  assembly  line?  Fire?  Traffic? 

A  pack  of  dingoes  ranging  near  your  plant  at  night?  The 
heat  signature  of  a  pack  of  dingoes  ranging  near  your 
plant  at  night?  The  produce  aisle?  National  monuments? 
School  grounds?  The  reservoir?  Cash  tills?  Anything 
that  moves? 


Actually,  we  already  know.  You— intrepid 
security  professionals— are  looking  at  all  of 
that  and  more.  As  a  tool  (and  as  a  cultural 
phenomenon),  video  surveillance  is  in  rapid 
ascent.  We’ve  become  a  nation  of  conspicuous 
consumers  of  surveillance  technology— buy¬ 
ing  cameras,  putting  them  wherever  we  can, 
pointing  them  at  whatever  we  can,  and  then 
buying  newer  cameras.  Cheaper  ones,  higher- 
resolution  ones,  tinier  ones,  digital  ones  with 
fantastic  gadgetry  attached  to  clever  new 
applications. 

The  new  applications  are  propelling  a  sur¬ 
veillance  tsunami.  If  you  can  look  at  customers, 
why  not  let  marketing  count  them?  If  you’re 
watching  cash  tills,  why  not  let  HR  train  new 
cashiers  with  that  video?  If  you  can  see  all 
those  shipping  containers,  why  not  pass  those 
pictures  to  logistics?  Software  tools  that  do  all 
this  have  launched  video  surveillance,  cata¬ 
pulting  cameras  into  the  corporation  and  soci¬ 
ety  at  large. 

It  all  sounds  like  a  dark  echo  of  the  late 
’90s  escalation  of  the  Internet  and  the  dizzy 
dotcom  boom.  The  only  difference  is  that  the 
optimism  of  the  late  ’90s,  the  feeling  that  any¬ 
thing  was  possible,  has  been  replaced  with  the 
post-9/H  fear  that  anything’s  possible.  And 
while  optimism  evaporates  over  time,  fear 
takes  root;  so  it’s  unlikely  this  surveillance 
bubble,  like  the  dotcom  one,  will  burst.  Joe 
Freeman,  a  security  industry  consultant  and 

40  www.csoonline.com  January  2005 


president  and  CEO  of  J.P.  Freeman,  predicts 
that  the  video  surveillance  market  will  expand 
this  year  by  17  percent  (three  times  the  Labor 
Department’s  GDP  growth  estimate).  Free¬ 
man  and  other  observers  expect  sales  of  newer 
surveillance  technologies,  such  as  networked 
video  and  emerging  IP-based  video,  will  rise  at 
even  faster  rates. 

But  there  are  lessons  to  remember  from  that 
previous  era.  Certainly  one  lesson  that  holds 
true  is  that  the  faster  a  new  technology  is 
deployed,  the  less  intelligent  that  deployment 
seems  to  be.  So  watch  out  for  places  where  deci¬ 
sion-makers  are  camera-happy  but  not  neces¬ 
sarily  camera-smart.  Amidst  the  rush  to  get  the 
latest,  most  powerful  surveillance  tools,  CSOs 
need  to  apply  some  knowledge,  structure  and 
direction,  else  they  run  the  risk  of  building  up 
inefficient,  ineffective  surveillance  systems. 

“We’ve  created  our  own  problems,”  says  con¬ 
sultant  Sandra  Jones,  who  specializes  in  video 
technology  and  security  services.  “We’ve  done 
a  great  thing  by  making  cameras  cheaper  and 
better.  And  because  of  that,  they’ve  prolifer¬ 
ated.  But  that’s  also  a  trap.” 

The  challenge  is  not  what  you  can  do;  you 
can  do  almost  anything,  Jones  says.  “The  chal¬ 
lenge  is  how  well  you  do  it,”  she  says.  “How  do 
you  make  surveillance  useful?  So  that  you’re 
not  asked  in  five  years,  or  whenever  the  sur¬ 
veillance  system  fails  you:  Why  did  we  spend 
all  this  money  again?” 

PHOTO  BY  CHRISTOPHER  NAVIN 


pi® 


THE  QUESTION  I’M 
ASKING  VENDORS  IS: 
WHAT  DOES  A  GLOBAL 
NETWORK  VIDEO 
ARCHITECTURE  LOOK 
LIKE?”  SAYSGENZYME 
CSO  DAVE  KENT. 


i ; : ' 

m  .  -  ■  1 


a  1 


rn^-i. 

I gjp.1  i; ; , 

MIBlfllilf  '  V  5 

r"uN&  .. 


§ 


saHBRrt*srrT 


Video  Surveillance 


It’s  the  CSO’s  job  to  get  in  front  of  this 
before,  not  after,  buying  into  the  surveillance 
hype.  To  help,  we’ve  scanned  the  hallways  and 
perimeters  of  the  field.  Here’s  what  we  see. 


Take  It  Easy  with 
New  Technologies 

Despite  all  of  the  mad  growth  in 
new  video  technology,  CSOs  are  getting  con¬ 
flicting  advice  on  how  to  deploy  it. 

That’s  because  while  the  newer  technolo¬ 
gies  (networked  and  IP-based  video  surveil¬ 
lance)  are  on  the  rise,  they  still  split  the  market 
roughly  50/50  with  the  old-guard,  standalone 
closed  circuit  TV  (CCTV)  systems,  according 
to  Freeman. 

Video  surveillance  is  in  that  awkward 
moment  of  its  life  that  the  music  industry  was 
in  around  the  early  ’90s  when  cassettes  and 
CDs  sold  equally,  even  though  everyone  knew 
that,  eventually,  the  superior  CD  would  drive 
cassettes  into  extinction.  Just  as  digital  video 
will  surely  wipe  out  CCTV. 

It’s  still  early  for  CSOs  to  know  exactly  how 
to  proceed,  says  Dave  Kent,  CSO  of  biotech 
company  Genzyane.  “Not  a  lot  of  people  are 
tuned  to  [IP-video  surveillance’s]  versatility 
yet,  but  it’s  inevitable,”  Kent  says.  Still,  no  one 
knows  precisely  when  that  inevitability 
becomes  reality. 

Because  of  that  uncertainty,  CSOs  are  get¬ 
ting  conflicting  advice.  Darryl  Marshall,  a 
technology’  systems  integrator  who  deployed 
digital  video  surveillance  system  for  Dreams, 
a  bed  and  mattress  retail  chain  in  Great 
Britain,  observes,  “The  old  CCTV  guys  tend 
to  downplay  the  current  viability  of  digital 
and  networked  IP-video,  while  the  digital  guys 
hype  you  into  buying  too  much,  or  something 
that’s  not  ready,  or  something  that  doesn't  fit 
into  your  environment.” 

Thus,  CSOs  are  caught  in  a  pickle,  between 
getting  less  than  they  could  and  more  than 
they  need,  a  dilemma  complicated  by  the  fact 
that  surveillance  technolog}'  is  progressing 
over  three  phases: 

PHASE  1:  Standalone  CCTV  systems.  Relative 
dinosaurs,  but  sturdy  and  simple.  They  will 
fade  as  surely  as  typewTiters  did. 

PHASE  2:  Hybrid  digital-analog  systems. 
Sometimes  networked,  they  use  black-box 
digital  video  recorders  (DVRs,  essentially  TiVo 

January  2005  www.csoonline.com  41 


Video  Surveillance 


boxes).  Represents  the  transition  between  old 
and  new— such  as  those  word  processors  that 
came  after  typewriters,  but  before  PC  pro¬ 
grams. 

PHASE  3:  Fully  digital,  networked  IP-based 
surveillance.  Here,  video  surveillance  is  just 
another  node  on  the  IT  network.  Cameras 
have  IP  addresses,  controlled  centrally  with 
any  number  of  software  applications  on  top  of 
the  raw  visual  data. 

Freeman’s  market  research  shows  CSOs 
are  certain  that  they  want  to  move  off  stand¬ 
alone  closed  circuit  TV  but  unsure  they’re 
ready  to  move  on  to  what  they’re  being  told  is 
the  more  powerful,  more  dynamic  future  of 
video  surveillance— fully  digital  systems.  So 
they  network  their  DVRs  to  get  a  few  benefits 
of  the  new  technology  without  a  real  com¬ 
mitment.  They  add  some  digital  systems, 
while  keeping  CCTV  with  DVR.  They’re  milk¬ 
ing  their  old  investments. 

Sheila  Bramlitt,  director  of  corporate  secu¬ 
rity  for  First  Horizon  National,  reflects  the 
overall  ambivalence  of  many  CSOs  toward 
uprooting  their  CCTV  entirely  for  IP-video 
surveillance.  Banks  such  as  Bramlitt’s— which 
has  hundreds  of  locations  in  30  states,  includ¬ 
ing  small  branches  and  ATM  vestibules— can 
demonstrate  dramatic  savings  by  going  digi- 

Eyes  At  Work 

BILL  BOWENS 

Project  Manager, 

Dallas-Fort  Worth 
International  Airport 

Surveillance  network: 

Airportwide 

Technology  mix:  Digital  network. 

Main  security  requirements:  Public  safety, 
antiterrorism,  customer  security 
Best  ROI  argument:  A  recent  terminal  evacua¬ 
tion  that  turned  out  to  be  unnecessary.  Bowens 
says  if  he  avoids  two  terminal  evacuations,  the 
new  system  will  have  paid  for  itself. 

Biggest  Challenge:  Avoiding  the  wow  factor. 
Without  good  analysis  and  design  skills  from  the 
security  team,  Bowens  says  he'd  end  up  with  lots 
of  stuff  he  didn’t  need,  and  that  might  hinder  his 
ability  to  give  the  decision  support  analysis. 
Advanced  applications:  Limited. 

On  the  power  of  digital  video:  “I  can't  spend  15 
minutes  trying  to  decide  whether  or  not  to  evac¬ 
uate  a  terminal.  I’ve  got  to  provide  that  decision 
support  data  in  10  seconds.  Now  I  can  do  that.” 


tal  and  centrally  controlling  and  monitoring 
surveillance.  Yet  Bramlitt  hasn’t  entirely  aban¬ 
doned  her  old  CCTV  systems  as  she  inserts 
new  digital  surveillance  systems,  conducting 
full  risk  assessments  along  the  way.  “The  dig¬ 
ital  surveillance  is  very  appealing,  and  we’ve 
bought  into  some  of  that— without  being  par¬ 
alyzed  by  the  hype,”  she  says.  “We  want  to  let 
someone  else  be  the  guinea  pig.  We’re  in  a 
transition.” 

Newer  Systems  Can 
Pack  Some  Punch 

Usually,  deep  in  the  core  of  any 
technology’s  hype,  there  exists  some  legiti¬ 
mate  generative  spark.  For  example:  Done 
right,  it  really  can  improve  business.  With  IP 
digital  video  surveillance,  the  potential  is 
undeniable. 

Here  are  two  simple  examples. 

Pedro  Ramos,  director  of  loss  prevention 
for  Pathmark  Stores,  identified  a  problem  uni¬ 
versal  to  grocery  stores  and  for  which  he  had 
statistics:  Most  inventoiy  shrink— shoplifting, 
employee  theft  and  damaged  goods— occurs  at 
the  point  of  sale.  So  he  installed  digital  video 
that  links  to  the  cash  registers  at  all  of  his 
stores.  “I  can  look  at  the  [the  digital  archive  of 
the]  register  tape,  pick  out  any  item  on  that 
tape  and  be  taken  to  the  archived  video  of 

DAVE  KENT 

CSO,  Genzyme 
Surveillance  network: 

Global;  sites  in  30  countries 
Technology  mix:  Some  legacy 
CCTV  with  networked  cameras 
connected  to  DVRs.  Small  but  growing  stock  of 
digital  network  equipment.  Moving  to  a  fully 
digital  network  slowly,  swapping  in  IP-based 
surveillance  when  he  can  justify  the  upgrade. 

Main  security  requirements:  Employee  secu¬ 
rity  and  safety,  corporate  espionage  deter¬ 
rence,  manufacturing  plant  monitoring 
Best  ROI  argument:  Networked  surveillance 
with  central  control  allows  Kent  to  add  surveil¬ 
lance  at  small  remote  sites  where  it  used  to  be 
cost-prohibitive  to  have  CCTV  and  a  full-time 
employee  for  monitoring. 

Biggest  challenge:  Kent  says  there’s  no  one 
tool  that  he  believes  is  up  to  the  challenge  of 
managing  a  video  network  on  a  global  scale. 
Advanced  applications:  Video  tours,  assembly 
line  quality  control  monitoring,  training. 


that  moment  in  that  transaction.”  This  allows 
quicker  response  to  incidents  and  deters  theft. 
Recurring  problems  (such  as  a  cashier  who 
repeatedly  mishandles  egg  cartons  during 
scanning)  can  be  identified  and  ameliorated 
quickly.  “Almost  immediately,”  says  Ramos, 
“we’ve  seen  a  significant  decline  in  shrink.” 

Sheng  Guo’s  story  is  even  more  dramatic. 
Guo  is  CTO  of  the  New  York  State  Unified 
Court  System— more  than  200  courthouses 
wherein  lawyers,  litigants,  criminal  defen¬ 
dants  and  ordinary  citizens  intermingle  every 
day.  Public  safety  is,  understandably,  a  huge 
concern.  But  Guo’s  facilities  each  had  their 
own  CCTV  systems,  rules  and  procedures. 

Guo  decided  to  shift  to  a  digital,  IP-based 
network  and  centralize  control  in  New  York 
City  (although  each  site  will  still  be  able  to 
monitor  its  own  system).  He’s  phasing  this  in 
now.  In  the  first  phase  of  the  installation,  Guo 
says,  he  saved  at  least  a  half-million  dollars  on 
deployment  costs  over  CCTV.  “For  software, 
we  saved  a  quarter-million  because  it’s  all 
open  IT  systems  now,  so  we  did  development 
in-house,”  Guo  says.  “Hardware  we  didn’t  cal¬ 
culate,  but  we  know  we  saved.  I  mean,  the 
monitoring  station  is,  what,  basically  a  PC.” 

Not  only  that:  Ethernet  connections  allow 
cameras  to  get  their  power  over  the  same  cable 
that  they  use  to  transmit  their  data.  That  was 
another  huge  savings,  Guo  says,  because  in 

SHENG  GUO 

CTO,  New  York  State  Unified 
Court  System 

Surveillance  network:  200-plus 
sites  across  New  York 

Technology  mix:  Now  building  a 
digital  IP-based  surveillance  network,  replacing 
CCTV  systems  at  many  courthouses. 

Main  security  requirements:  Public  safety 
Best  ROI  argument:  Standard  IT  hardware  and 
software  save  millions  on  capital  costs  and  allow 
in-house  software  development. 

Biggest  challenge:  The  potential  for  buyer’s 
remorse— that  what  he  buys  will  be  supplanted 
by  better,  cheaper  equipment.  "You  have  to  com¬ 
mit  at  some  point,"  says  Guo.  "If  you’re  worried 
something  better  will  be  out  in  two  years,  you’ll 
still  be  worried  about  that  two  years  from  now." 
Advanced  applications:  Motion  detection;  Guo 
has  tested  infrared  surveillance  for  low-light 
spots  but  has  yet  to  deploy  it. 

On  his  mission  trumping  ROI:  "It  was  more 
[about]  public  safety  and  saving  lives." 


42  www.csoonline.com  January  2005 


some  of  the  city  courthouses,  his  group  is  just 
a  tenant.  “If  you  needed  to  get  power  outlets 
to  new  cameras,  you're  talking  about  three 
different  agencies  and  months  for  approval.” 

Justify  the  Costs  of 
Those  New  Cameras 

Guo  is  on  the  front  edge  of  the  dig¬ 
ital  video  surveillance  trend.  He  would  be  con¬ 
sidered  one  of  the  guinea  pigs  that  Bramlitt 
said  she  is  waiting  on  to  test  the  technology  for 
her.  But  even  Guo  is  careful  with  what  he 
chooses  to  deploy. 

The  New  York  courts  have  installed  some 
motion  detection,  and  Guo  says  he  has  tested 
some  infrared  cameras  for  low-light  spots,  but 
he  offers  some  caveats:  “We  test  first  and  start 
simple,  where  there  are  well-defined  param¬ 
eters,  like  restricted  space  where  any  move¬ 
ment  would  be  suspicious.” 

Pathmark’s  Ramos  is  more  conservative. 
He  hesitates  to  endorse  the  IP-based  digital 
video  hype.  His  system  is,  in  fact,  a  hybrid 
(such  as  those  of  Bramlitt  and  Genzyme’s 
Kent).  Pathmark  combines  digital  and  analog, 
and  even  uses  some  tape  storage.  It’s  on  the 
cusp  of  a  phase  3  system,  but  not  quite  there. 
Why?  “The  cost  to  convert  over  fully  isn’t  quite 
where  we  need  it,”  he  says. 

He’s  not  just  guessing  either.  Ramos  de¬ 
manded  and  is  getting  an  average  of  about 
13.5  percent  ROI  from  his  video  surveillance 
upgrade.  And,  under  the  right  conditions, 
some  of  his  stores  will  recoup  costs  in  less 
than  two  years,  some  in  under  one.  “We  need 
a  six-month  time  frame  for  video  storage,  and 
I  can’t  cost-justify  a  fully  digital  system  with 
that  requirement  yet,”  Ramos  says.  (Like  oth¬ 
ers  in  this  story,  Ramos  declined  to  share  spe¬ 
cific  surveillance  investment  figures.) 

Ramos’s  discipline  is  not  a  fluke.  One  would 
think  someone  such  as  Bill  Bowens,  who 
recently  managed  an  upgrade  to  digital  video 
surveillance  at  Dallas-Fort  Worth  Interna¬ 
tional  Airport,  would  not  have  to  provide  a 
rigid  analysis  of  the  need  for  better  surveil¬ 
lance.  Airports,  after  all,  are  central  to  domes¬ 
tic  antiterrorism  efforts.  Yet,  Bowens  says,  “We 
don’t  do  anything  because  we  just  think  we 
have  to.  There’s  a  cost-benefit  for  everything.” 

Bowens  wouldn’t  provide  many  details  of 
his  system,  but  he  did  talk  about  some  of  the 


benefits  of  upgrading.  Decision  support  data 
from  video  on  whether  to  evacuate  a  terminal 
now  can  be  had  in  10  seconds,  whereas  with 
CCTV  and  tape,  it  might  have  taken  minutes 
or  more.  And  if  Bowens  manages  to  avoid 
unnecessarily  evacuating  a  terminal  just  two 
times,  the  system  will  have  paid  for  itself. 

Still,  Bowens  was  strict  in  what  he  bought 
to  enter  the  modern  surveillance  age.  “The 
vendors  freak  out  when  they  get  to  an  air¬ 
port,”  Bowens  says,  “because  we  are  not  ‘wow’ 
motivated.  We  buy  what  we  need,  and  we  tell 
them  it  has  to  run  for  at  least  10  years.” 

Along  with  Bowens,  Ramos  says  he  knows 
of  some  executives  who  have  taken  a  less  dis¬ 
ciplined  approach.  “You  know,  guys  in  high- 
margin  businesses  who  can  get  away  with 
mushy  ROI,  they  see  all  these  gadgets.  I  see  a 
lot  of  people  getting  taken  in  by  the  wow  fac¬ 
tor,”  he  says.  By  wow  factor,  Ramos,  whose 
business  is  decidedly  low-margin,  means  not 
only  the  hardware  but  the  advanced  applica¬ 
tions— such  as  face  recognition  and  behavior 
pattern  analysis.  Hardly  anyone,  Ramos  says, 


could  possibly  know  whether  they  can  cost- 
justify  some  of  these  new  applications  yet. 
Never  mind  whether  they  even  need  them. 

Ramos  also  adds  that  the  Wowists  aren’t 
considering  hidden  and  tangential  costs  that 
will  creep  up  with  digital  systems  (see  “Five 
ROI  Rules  of  Thumb,”  Page  45),  such  as  staff 
retraining,  bandwidth  and  security. 

“Don’t  get  me  wTong,  the  demos  are  beau¬ 
tiful.  Just  consider  me  from  Missouri,”  says 
the  European-born  Ramos.  “ Show  me  this 
stuff  up  and  running  in  the  real  wTorld.  And 
show  me  wiiat  it  really  gives  me.  Getting  video 
to  my  cell  phone  is  really  incredible;  at  what 
point  do  I  really  need  that?  The  wow  factor 
should  come  last,  basically.” 

The  High  Price  of 
Buying  into  the 
Wow  Factor 

Wow  breeds  ineffectiveness;  a  bad  technical 
deployment  will  create  support  costs.  A  lack  of 
planning  for  business  processes  to  guide 


PHOTO  BY  CHARLES  FORD 


January  2005  www.csoonline.com  43 


Video  Surveillance 


alarms  will  spur  false  alarms.  Over  time,  false 
alarms  are  ignored,  increasing  the  risk  that  a 
real  alarm  will  be  ignored.  Eventually,  a  real 
alarm  is  ignored,  and  the  investment  has  failed. 
It  will  create  inefficiencies.  “What  you  end  up 
with,”  says  surveillance  consultant  Jones,  “is  a 
lot  of  wasted  data— volumes  and  volumes  of  it.” 

Wow  also  encourages  information  overload. 
The  economics  of  video  infrastructure  allow 
you  to  put  up  as  many  cameras  as  you  like. 
But  how  many  cameras  does  it  take  to  gener¬ 
ate  an  unmanageable  amount  of  visual  data? 

And  for  all  the  gee-whiz  applications  being 
developed  for  digital  video  surveillance,  Gen- 
zyme’s  Kent  says  vendors  are  struggling  to 
create  something  far  more  basic:  excellent 
digital  video  management  to  deal  with  infor¬ 
mation  overload.  Without  that,  he  says,  he 
would  be  asking  for  trouble  by  networking  a 
global  surveillance  infrastructure. 

“First  you’ve  got  the  problem  of  centralized 
storage  and  retrieval  of  huge  amounts  of  data,” 
says  Kent.  “Then  you’ve  got  small  sites  which 
have  no  way  to  do  local  recording  and  archiv¬ 
ing,  while  making  that  data  available  at  the 
home  office.  The  question  I’m  asking  vendors 
is:  What  does  a  global  network  video  archi¬ 
tecture  look  like?” 


After  all,  CEOs  and  CFOs  “got  fed  up  with 
this  bad  investment  cycle  thing  before,”  says 
Bob  Degen,  senior  vice  president  of  corporate 
security  for  First  Data,  recalling  the  post¬ 
boom  write-offs  on  technology.  “They  have  a 
natural  aversion  to  that  kind  of  thing  after 
the  tech  era.” 


Get  to  the  CIO- 
Right  Now 


You  had  better  hope  IT  has  learned 
its  lessons  from  that  era.  In  fact,  you  had  bet¬ 
ter  talk  to  the  CIO.  Here  are  two  reasons  why: 
One,  many  of  the  new  generation  of  video  sur¬ 
veillance  vendors  are  going  to  them,  not  you,  to 
sell  this  stuff.  “CSOs  are  not  always  driving 
this  purchase,”  says  Daved  Levine,  a  surveil¬ 
lance  systems  integrator.  Vendors  target  IT 
because  there’s  more  familiarity  with  technol¬ 
ogy,  and  probably  more  receptiveness  to 
upgrading  it  too. 

Two,  trying  to  make  video  surveillance  part 
of  the  IT  network  will  obviously  require  heavy 
participation  from  IT.  Says  Levine,  “If  you  try 
to  deploy  digital  video  surveillance  without 
the  full  support  of  IT,  you're  done.”  Path- 
mark’s  Ramos  underscores  that:  “Get  IT 


“We’re  not  ‘wow’-motivated. 
We  buy  what  we  need,  and 
we  tell  our  vendors  it  needs 
to  run  for  at  least  10  years.” 

-BILL  BOWENS 


Wow  tends  to  mess  up  long-term  planning 
as  well.  “The  lifecycle  of  a  video  system  could 
be  seven  or  eight  years,  even  a  decade,”  says 
Freeman.  “So  you  better  have  a  good  rationale 
for  everything  you’re  doing.  If  you  haven’t 
thought  through  your  investment  and  in  six 
months,  a  new  smart  camera  comes  out  that’s 
startlingly  more  efficient  at  a  reasonable  price, 
what  do  you  do?  Do  you  go  to  the  CFO  and 
CEO  and  say,  Our  rationale  has  changed?  You 
can  do  that.  Of  course,  you  might  look  stupid 
doing  that.” 


involved;  get  them  to  help  you  build  an  ROI 
model;  get  them  to  help  develop  the  best  sys¬ 
tem  for  your  needs.” 

It’s  not  surprising  then  that  Ramos  and 
every  other  CSO  we  spoke  with  who  had  dab¬ 
bled  in  upgrading  their  video  surveillance 
claimed  to  have  an  excellent  relationship  with 
his  or  her  CIO.  At  Dallas-Fort  Worth  Airport, 
Bowens  managed  the  video  surveillance 
upgrade  from  the  IT  department.  “When  I’m 
asked  how  I  ended  up  in  security,”  he  says,  “I 
say  it  invaded  my  world.”  In  the  case  of  the 


New  York  State  Unified  Court  System,  the 
team  in  charge  of  the  surveillance  project  was 
Guo’s,  not  the  security  officers  from  the 
Department  of  Public  Safety  (although  the 
two  groups  did  work  closely  throughout). 

But  Guo  smartly  deferred  to  the  security 
team  on  issues  he  didn’t  know  about.  First,  he 
says,  the  security  team  determined  the  most 
vulnerable  locations,  determined  camera  posi¬ 
tions,  types  of  cameras— stationary  versus 
pan-tilt-zoom,  indoor  versus  outdoor— and 
then  did  a  cost  impact.  “Then,  we  took  that 
and  fit  it  into  our  computing  infrastructure. 
Without  [the  security  team’s]  participation, 
the  technology  itself  is  not  useful,”  he  adds. 

What  we  have  here  with  digital  video  sur¬ 
veillance  is  security  convergence— one  of  the 
first  major  security  purchases  that  not  only 
could  benefit  from  but  absolutely  requires  the 
cooperation  of  the  CIO  and  CSO. 

CSOs  can’t  do  this  without  IT’s  technolog¬ 
ical  expertise.  As  much  as  Guo  allowed  the 
public  safety  team  to  lead  the  risk  analysis, 
Bramlitt  at  First  Horizon  was  ready  to  cede 
control  of  managing  the  IT  requirements— 
network  bandwidth  demands,  server  capacity, 
storage  configurations,  data  security— to  her 
CIO  and  CISO. 

“We  come  to  mutual  agreements  on  what’s 
adequate,”  she  says.  “There’s  no  in-fighting.  I 
understand  their  business  needs;  they  under¬ 
stand  my  security  obligations.”  It’s  almost 
beautiful. 


Watch  These  Sneak 
Previews  and  Coming 
Attractions 


The  most  promising  development  for  digital 
video  surveillance,  the  real  wow  factor,  is  the 
creation  of  the  new  applications.  Until  now, 
video  surveillance  was  what  Jones  calls  a 
“grudge  spend.”  It  was  overhead  for  liability, 
crime  deterrence  and  loss  prevention.  And 
that  was  it.  Before  Guo  transformed  them, 
the  New  York  state  courts  were  the  physical 
realization  of  the  attitude  toward  surveillance: 
Many  of  the  over  200  courts  had  their  own 
CCTV  systems— big,  old,  fixed  cameras,  hard¬ 
wired  by  coaxial  cable  into  basements  where 
a  guard  may  or  may  not  have  been  staffed  to 
stare  at  the  bank  of  cloudy  gray  screens. 

The  new  era  of  video  surveillance  is  com- 


44  www.csoonline.com  January  2005 


ROI  Rules  of  Thumb 


YOU’RE  LIKELY  DEALING  WITH  A  CEO 
and  CFO  who  want  to  know  why  they 
should  invest  in  Escalade-like  networked 
digital  video  when  they’ve  already  got  a 
perfectly  fine  Chevy  CCTV  system.  That 
is,  you  need  to  demonstrate  ROI. 

It’s  impossible  to  create  a  generic 
return  case  for  video  surveillance 
because,  while  its  applications  overlap, 
they  are  also  unmanageably  varied.  At 
the  Pathmark  Stores  grocery  chain, 

Pedro  Ramos,  director  of  loss  prevention, 
looks  at  inventory  shrink  and  insurance 
fraud  (customers  taking  pratfalls),  among 
other  issues.  Sheila  Bramlitt,  director  of 
corporate  security  at  First  Horizon 
National,  must  focus  on  cash  theft  and 
safety  (armed  robberies)  at  her  com¬ 
pany’s  banks.  At  Genzyme,  a  manufactur¬ 
ing  and  R&D  venture,  CSO  Dave  Kent 
monitors  assembly  lines  and  corporate 
espionage. 

Still  having  said  that,  we  can  descry 
some  ROI  rules  of  thumb  from  these 
sources  and  others  for  when  you’re  build¬ 
ing  your  case  for  the  Escalade: 

^Digital  video  surveillance  scales  well. 
The  larger  your  planned  installation,  the 
more  remote  sites  you  plan  to  monitor 
from  a  central  control  room,  the  more 
efficiency  you  can  create  and  the  faster 
your  return  will  come. 

*Cost  calculations  favor  digital  video 
over  closed  systems.  “The  economics  of 

paratively  airy  and  bright,  where  cameras  give 
CSOs  better  pictures  faster,  in  any  light  or 
weather;  where  the  Internet  allows  Guo  to  log 
on  from  home  and  check  in  on  any  of  his  sites; 
where  sleek  technology  focuses  on  business 
growth;  and  where  it  focuses  on,  say,  four  busi¬ 
ness  problems  at  once.  Video  surveillance  sud¬ 
denly  has  street  cred  in  marketing,  HR,  travel 
services,  even  customer  relations. 

Thus,  when  Dreams  bed  stores  in  Britain 
recently  put  its  system  in  place,  its  primary 
function  wasn’t  even  security;  it  was  market¬ 
ing.  The  company  is  measuring  foot  traffic 
around  the  store.  The  secondary  function  was 


storage  favor  standard  IT  infrastructure,” 
over  closed  systems  such  as  DVRs,  says 
Bob  Degen,  senior  vice  president  of  cor¬ 
porate  security  of  First  Data.  “The  equip¬ 
ment  functions  better  with  less  repair.  It’s 
easier  to  expand  on.  We’re  in  the  process 
of  building  a  command  center.  We’ll  put 
all  alarms,  images,  sound  and  voice  over 
the  Web  to  that  centralized  site.  That 
will  create  huge  advantages.” 

^Integration  with  other  systems  will 
cost  more  up  front  but  will  also  facilitate 
positive  ROI.  Linking  video  surveillance 
to  access  and  safety,  especially,  could 
possibly  allow  you  to  lower  insurance 
premiums,  but  also  to  facilitate  response 
times  to  crises  large  and  small. 

*Cross-threading  applications  and  sys¬ 
tems  allows  you  to  share  the  cost  burden 
with  other  departments.  “We  partner  with 
safety  and  business  continuity  of  course, 
but  also,  say,  our  real  estate  group,”  says 
Bramlitt.  "If  we  can  partner  with  them 
when  they’re  building  a  new  site,  we  can 
share  the  costs  and  benefits.”  It  makes 
upgrades  an  easier  sell,  she  says. 

*The  more  things  a  digital  video 
surveillance  system  does,  the  higher  the 
ROI.  What  software  applications,  or  even 
business  activities,  exist  to  extend  the 
usefulness  of  the  surveillance  infrastruc¬ 
ture?  Training?  Marketing?  Find  all  the 
ones  that  are  realistic  for  you  and  attach 
a  value  to  them.  -S.B. 

security.  And  the  tertiary  function  was  human 
resources,  using  the  video  for  training.  “That 
made  it  a  pretty  easy  sell  actually,”  says  Mar¬ 
shall,  who  oversaw  the  project  (which,  by  the 
way,  he  says  was  led  by  Dreams’  IT  project 
managers). 

As  digital  video  quality  improves,  training 
rapidly  gains  purchase  as  a  prime  application. 
Ramos  uses  his  new  system  to  train  cashiers 
and  other  store-level  associates.  Captured 
images  of  employees  doing  something  well 
are  posted  as  a  method  of  positive  reinforce¬ 
ment,  and  captured  images  of  common  mis¬ 
takes  get  tacked  up  too,  as  an  awareness  tool. 


In  retail  industries,  especially,  marketing 
wants  in  on  video  surveillance.  Consultant 
Jones  is  working  with  retailers  to  map  store 
traffic  to  improve  the  flow  of  customers  and 
increase  safety.  Others  are  using  the  visual 
data  to  watch  inventoiy  levels. 

Companies  are  cutting  travel  expenses  by 
using  the  infrastructure  for  meetings.  Or  using 
it  for  OSHA-like  inspections  of  restaurants, 
allowing  more  inspections  with  less  travel  dol¬ 
lars  spent.  Genzyme’s  Kent  uses  video  for  qual¬ 
ity  control  by  monitoring  production  trains. 

A  public  utility  uses  cameras  to  validate 
trespassing  incidents.  Police  issue  tickets  and 
revenue  increases.  At  the  same  time,  costs 
incurred  by  the  court  system  fall,  because  per¬ 
petrators  don’t  challenge  the  visual  evidence. 

A  major  transit  authority  w'atches  its  sta¬ 
tions,  measures  footfall  and  traffic  patterns, 
reconfigures  stations  to  reduce  congestion, 
adjusts  train  schedules  based  on  the  visual  data, 
locates  common  loitering  spots  and  makes 
them  less  loiterer-friendly.  All  of  the  following 
increase:  safety,  ridership  and  revenue. 

A  humpyard,  where  train  cars  come  off 
boats  and  trucks  and  are  assembled  into 
trains,  repurposes  its  video  surveillance.  Now 
managers  not  only  watch  fence  lines  for  tres¬ 
passers  and  would-be  thieves,  but  they  man¬ 
age  the  logistics  of  assembling  the  trains 
correctly  and  getting  them,  literally,  on  the 
right  track— a  job  that  used  to  involve  several 
men  in  towers  talking  to  each  other  and  peo¬ 
ple  on  the  ground  as  they  looked  out  over  their 
vast  yards  with  binoculars. 

These  applications  are  real.  More  are  com¬ 
ing,  and  they  are  limited  only  by  the  imagi¬ 
nation.  Digital  video  surveillance  on  IP 
networks  will  take  over.  For  better  and  for 
worse,  this  camera  craze  will  flourish  and 
develop  into  a  surveillance  nation.  And  then 
there  will  be  a  simple,  precise  answer  to  the 
question,  What  are  you  looking  at? 

Everything,  all  the  time.  ■ 

E-mail  Senior  Editor  Scott  Berinato  at  sberinato@cxo.com. 

Evaluating  Surveillance  Tech 


Senior  Editor  Scott  Berinato  delves  into  the  pros  and 
cons  of  investing  in  new  surveillance  systems. 

See  “Four  Reasons  Digital  Video  is  Hot,"  and  “Four 
Reasons  to  Go  Slow  on  Digital  Camera  Networks." 

Go  to  www.csoonline.com/printlinks. 


January  2005  www.csoonline.com  45 


mmmmm 


pwmmwmm 

.  •■V;:^v  ■■■ 

.  .  .  /  W' 


*.  1‘vK:  .  {1%  ^  ’::‘J  T* 


19Q  *>W  *  -*4 

**  ft  ifl  .  *#  *vV  t  ^  J 

r  *Jjr  ifl® 

;  <jk*  ik  ,4  *v 

?*  r#. 


First  results 
from  a  new 
security 
management 
survey  indicate 


that  many 
companies 
have  only 
rudimentary 
practices 
in  place 


This  is  NOT  a  maturity  model. 

The  charts  on  the  following  pages  reflect  first  results  from  the  Security 
Capability  Model,  a  survey  tool  codeveloped  by  CSO  and  Carnegie 
Mellon  University’s  CERT  Coordination  Center  (CERT/CC)  to  help 
respondents  compare  their  security  processes— particularly  pertain¬ 
ing  to  information  security— with  those  of  other  organizations. 

The  Security  Capability  Model  obviously  draws  some  inspiration 
from  the  Capability  Maturity  Model  (CMM),  a  rigorous  tool  for  process 
management  in  software  application  development  created  by  CMU’s 
well-known  Software  Engineering  Institute  (SEI).  The  reason  for  bor¬ 
rowing  the  “capability”  part  of  that  name— but  not  the  “maturity”— is 
this:  “The  whole  notion  of  maturity  as  reflected  in  the  CMM  is  built 


By  Derek  Slater,  with  Research  Editor  Lorraine  Cosgrove  Ware 


PHOTOGRAPHY  BY  DAVID  AUBREY/CORBIS 


January  2005  www.csoonline.com 


47 


KI8 


Infosecurity  Survey 


HHHHi 


f 


Blooming... 


on  the  notion  of  long-term  practice.  There  were  20  years 
of  experience  to  base  the  CMM  on,”  says  Julia  Allen,  a  senior 
technical  staff  member  with  SEI.  “That  doesn't  exist  yet  in  infor¬ 
mation  security.  We  don’t  yet  feel  there’s  a  long  enough  history” 
to  clearly  state  what  constitutes  “mature”  information  security 
practices. 

How  to  Read  the  Charts 

In  lieu  of  attempting  an  absolute  standard  for  correct  or  mature 
practices  (though  a  variety  of  those  already  exist  elsewhere,  ranging 
from  ISO  standards  to  SEI’s  own  Octave  risk  management  method¬ 
ology),  the  model  provides  the  opportunity  to  benchmark  against 
others  in  22  specific  practices.  The  chart  on  the  opposite  page 
presents  the  full  survey  results,  grouping  the  practices  under  four 
headings:  managing  risks,  setting  policies,  securing  systems  and 
networks,  and  handling  corporate  security.  Looking  at  the  first 
practice  area  on  the  chart,  60  percent 
of  the  total  response  base  said  they 
have  a  process  in  place  for  conducting 
regular  vulnerability  assessments. 

Fewer— 49  percent,  again  of  total 
respondents— said  they  have  specified 
an  owner  for  that  particular  process. 

Only  22  percent  of  all  respondents 
said  they  regularly  review  and  update 
this  process,  which  is  the  group 
described  by  the  model  as  most  capa¬ 
ble  in  this  practice  area.  (The  least 
capable  group  would  be  the  40  percent 
who,  by  implication,  have  no  process  in 
place  at  all.) 

Beyond  this  left-to-right  growth  in 
capability,  Allen  notes  that  there  is  also 
a  greater  degree  of  sophistication 
reflected  in  the  processes  at  the  top  of 
the  three  infosecurity-related  charts 
(managing  risks)  than  at  the  bottom 
(securing  systems  and  networks). 

For  comparison,  the  model  also 
measures  corporate  security  capability 
in  a  few  areas  outside  of  infosec: 
facility  access,  business  continuity 
plans,  employee  awareness  training 
and  background  checks.  The  results 
indicate  that  information  security  is 
not  the  only  area  that  needs  more 


Respondents  reported  widespread  adoption  of 
some  basic  processes,  particularly  in  applying 
technology  for  information  security 


81% 

80% 


Percentage  who  have  a  process  in  place  to... 

Regularly  scan  for  viruses/malware  82% 

Detect  and  respond  to  suspicious 
digital  events 

Manage  and  update  user 
electronic  access  permissions 

...and  Wilting 

But  many  important  processes  for  risk 
management,  policy  and  physical  security 
are  still  relatively  uncommon 

Percentage  who  have  a  process  in  place  to... 

Determine  potential  impacts  of 
electronic  attacks 

Link  policies  to  specific 
business  objectives  and  risk  areas 

Train  employees  to  identify 
suspicious  physical  events/items 


attention.  While  access  cards,  for  example, 
are  fairly  common,  employee  training  in 
recognizing  suspicious  events  or  items  is  one 
of  the  least  common  practices  measured  in  the 
entire  survey. 

The  survey  remains  open  on  the  CSO  website  (at 
www.csoonline.com/surveys/securitycapability.html). 

CSO  and  CERT  will  capture  and  present  the  results  over 
time  in  order  to  observe  trends.  Given  the  proliferation  of 
security-  and  risk-related  regulations,  one  might  expect 
that  compliance  efforts  alone  will  drive  more  organizations 
toward  better-defined  security.  However,  Allen  says  that’s 
unlikely.  “We  find  in  our  fieldwork  that  companies 
that  use  regulatory  compliance  as  the  stick  [to  drive 
improvement]  tend  to  be  less  capable,”  she  says.  Allen 
says  more  capable— and  successful— organizations  are  those 

treating  security  as  a  business 
objective;  these  companies  achieve 
regulatory  compliance  by  documenting 
existing  processes,  rather  than  by 
scrambling  to  jury-rig  new  processes 
to  meet  the  letter  of  the  law. 

If  CERT’s  observations  are  correct, 
it’s  going  to  take  a  lot  more  than  regu¬ 
lation  to  push  the  business  world 
toward  more  capable  information 
security.  The  Security  Capability 
Model  is  structured  to  suggest  a  more 
effective  approach:  Start  by  improving 
risk  management  processes  and  mov¬ 
ing  from  there  to  policy  and  then  tech¬ 
nology,  rather  than  maintaining 
today’s  widespread  focus  on  technol¬ 
ogy  solutions  as  the  sole  approach.  In 
addition  to  other  improvement  themes 
regularly  stressed  in  CSO  (such  as  bet¬ 
ter  governance  models  and  more  rigor¬ 
ous  definition  and  use  of  metrics), 
CERT  has  ideas  and  suggestions  on  a 
newly  created  website  dubbed  “Gov¬ 
erning  for  Enterprise  Security” 

(www.  cert.org/  governance/ ges.  htmT). 

Some  day,  information  security  will 
arrive  at  maturity.  But  judging  by  this 
first  set  of  results,  there’s  a  long  way 
to  grow.  ■ 


METHODOLOGY 

The  Security  Capability  Model  survey  was  posted  online  at  www.csoonline.com  and  at  the  CERT  website.  The  539  responses  were  accumulated  over  the  first  six  months  of  2004.  Respondents’ 
titles  included  manager  or  director  of  security  (29%),  CISO  or  CSO  (16%),  manager  or  director  outside  of  security  (14%),  and  other  (41%).  Thirty-four  percent  of  respondents’  companies  have 
less  than  $50  million  in  revenue,  25%  between  $50  million  and  $500  million,  24%  between  $500  million  and  $5  billion,  and  17%  more  than  $5  billion.  The  industries  most  heavily  represented 
in  the  response  base  were  finance/banking/accounting  (14%),  health  care/pharmaceutical  (12%),  manufacturing  (11%)  and  government  (10%).  Questions?  E-mail  lcosgrove@cxo.com. 


48  www.csoonline.com  January  2005 


FIRST  RESULTS  FROM  THE  CSO/CERT  SECURITY  CAPABILITY  MODEL  SURVEY 


Managing  Risks 

Respondents  indicate  a  widespread  lack  of  sophistication  in  addressing  security  at  the  level  of  risk  management. 

Any  organization  that  regularly  reviews  processes  for  vulnerability  assessments  and  threat  assessments  is  well  ahead  of  the  pack. 


Do  regular  vulnerability  assessments 

Process 
in  place 

60% 

Process  owner 
identified 

49% 

Process 

repeatable 

42% 

Process 

documented 

30% 

Process  regularly 
updated 

22% 

Act  on  assessment  results  in  a  timely  way 

55% 

39% 

32% 

22% 

16% 

Identify  critical  information  assets 

61% 

35% 

34% 

26% 

18% 

Identify  threats  to  critical  information  assets 

56% 

31% 

27% 

18% 

16% 

Determine  potential  impacts  of  attack  on  critical  information  assets 

30% 

19% 

16% 

12% 

9% 

Manage  risks  to  information  assets  similarly  to  other  key  business  risks 

41% 

29% 

23% 

17% 

13% 

Setting  Policies 

In  the  absence  of  a  true  risk  management  approach,  the  next  best  step  is  to  at  least  address  security  on  a  policy  level. 
Respondents  show  decent  involvement  by  senior  management  in  setting  security  policies.  However,  few  succeed  in  making 
security  a  regular  part  of  staff  or  management  meetings. 


Have  senior  managers  establish  security  policy  (both  IT  and  physical) 

Process 
in  place 

73% 

Process  owner 
identified 

52% 

Process 

repeatable 

45% 

Process 

documented 

48% 

Process  regularly 
updated 

36% 

Link  policies  to  specific  business  objectives  and  risk  areas 

37% 

26% 

22% 

18% 

14% 

Inform  all  managers  of  responsibilities  regarding  security 

47% 

29% 

26% 

23% 

18% 

Make  security  a  regular  agenda  topic  at  management  and  staff  meetings 

34% 

22% 

19% 

13% 

12% 

Train  end  users  on  security  policy  prior  to  receiving  system  accounts 

49% 

33% 

30% 

28% 

20% 

Conduct  periodic  independent  audit  of  compliance  with  company  policies 

43% 

28% 

27% 

20% 

17% 

Securing  Systems  and  Networks 

Survey  results  show  that  most  organizations  approach  information  security  at  a  technical  level.  While  some  technology-oriented 
processes  are  more  prevalent  than  others,  CERT  notes  that  without  attention  to  risk  management  and  security  policies,  money 
spent  on  technical  solutions  may  be  misdirected. 


Assign,  manage  and  update  user  identities  and  access  permissions 

Process 
in  place 

80% 

Process  owner 
identified 

57% 

Process 

repeatable 

57% 

Process 

documented 

44% 

Process  regularly 
updated 

33% 

Manage  system/network  changes  and  configuration,  including  patches 

76% 

53% 

50% 

36% 

29% 

Regularly  scan  for  viruses  and  other  malware  on  all  systems 

82% 

58% 

60% 

40% 

35% 

Monitor  for,  detect,  report  and  act  on  suspicious  files/behaviors/events 

81% 

53% 

51% 

31% 

25% 

Actively  work  to  contain  the  damage  caused  by  viruses  and  malware 

57% 

40% 

37% 

22% 

19% 

Recover/restore  compromised  files,  systems,  networks  in  a  timely  manner 

74% 

48% 

46% 

30% 

23% 

Handling  Corporate  Security 

Respondents  display  a  variety  of  capability  levels  with  regard  to  basic  physical  and  corporate  security  processes. 
Access  control  is  widespread;  employee  training  is  not. 


Require  identification  and  authentication  for  accessing  work  facilities 
Put  business  continuity/disaster  recovery  plans  in  place 
Train  employees  to  identify  suspicious  packages,  behaviors,  persons,  even 
Require  human  resources  to  conduct  background  checks  on  all  new  hires 


Process 

Process  owner 

Process 

Process 

Process  regularly 

in  place 

identified 

repeatable 

documented 

updated 

72% 

48% 

50% 

40% 

30% 

59% 

39% 

36% 

37% 

30% 

i  40% 

21% 

21% 

17% 

13% 

55% 

39% 

38% 

34% 

28% 

January  2005  www.csoonline.com  49 


IN  THIS  STORY:  You  will  discover  challenging  ques¬ 
tions  about  our  cyborg  future  that  you  probably  don't 
need  to  answer  for  a  few  more  years.  But  when  that 
time  comes,  you'll  remember  this  story! 


Last  fall,  the  editors  of  a  leading 

public  policy  magazine,  Foreign.  Policy,  asked 
eight  prominent  intellectuals  to  identify  the 
single  idea  currently  posing  the  greatest  threat 
to  humanity.  Most  of  the  suggestions  were 
old  demons:  various  economic  myths,  the  idea 
that  you  can  fight  “a  war  on  evil,”  America- 
phobia  and  so  on.  Only  Francis  Fukuyama,  a 
member  of  the  President’s  Council  on  Bioethics, 
came  up  with  a  new  candidate:  transhumanism. 

Transhumanism  might  be  described  as  the 
technology  of  advanced  individual  enhance¬ 
ment.  While  it  includes  physical  modifica¬ 
tions  (diamondoid  teeth,  self-styling  hair, 
autocleaning  ears,  nanotube  bones,  lipid 
metabolizers,  polymer  muscles),  most  of  the 
interest  in  the  technology  focuses  on  the  inte¬ 
gration  of  brains  and  computers— especially 
brains  and  networks.  Sample  transhumanist 
apps  could  include  cell  phone  implants  (which 
would  allow  virtual  telepathy),  memory  back¬ 
ups  and  augmenters,  thought  recorders,  reflex 
accelerators,  collaborative  consciousness 


(whiteboarding  in  the  brain),  and  a  very  long 
list  of  thought-controlled  actuators.  Ulti¬ 
mately,  the  technology  could  extend  to  the 
uploading  and  downloading  of  entire  minds  in 
and  out  of  host  bodies,  providing  a  self-con¬ 
sciousness  that,  theoretically,  would  have  no 
definitive  nor  necessary  end.  That  is,  immor¬ 
tality,  of  a  sort. 

While  some  of  these  abilities  are  clearly 
quite  far  off,  others  are  already  attracting 
researchers  (see  “Making  the  Head  Case,” 
Page  52),  and  none  are  known  (at  the  moment 
at  least)  to  be  impossible.  Fukuyama  obvi¬ 
ously  felt  the  technology  is  close  enough  at 
hand  to  write  a  book  on  it,  Our  Posthuman 
Future:  Consequences  of  the  Biotechnology 
Revolution,  the  thrust  of  which  is  that  society 
should  give  the  idea  a  miss.  His  main  con¬ 
cern  was  that  transhumanism  would  place  an 
impossible  burden  on  the  idea  of  equal  rights, 
since  it  would  multiply  the  number  of  ways  of 
being  human  well  past  our  powers  of  toler¬ 
ance.  (If  we  have  all  this  trouble  with  skin 


Securing 
the  Post-Human 

Future 


CSOs  will  very  likely  live  to  see  the  day  when 
human  brains  are  easily  augmentable  through  an  array 
of  knowledge  implants,  apps  and  Wi-Fi  capabilities.  If 
securing  an  enterprise  seems  tricky  today,  imagine 
installing  firewalls  in  a  few  thousand  employees’ 
prefrontal  lobes.  By  Fred  Hapgood 


ILLUSTRATION  BY  JOHN  HERSEY 


January  2005  www.csoonline.com  51 


The  Long  View 


color,  just  wait  until  some  people  have  wings,  augmented  memory 
and  reflex  accelerators.) 

Ignorance  Is  No  Option 

Still,  it’s  not  clear  that  boycotting  neurotech  will  be  a  realistic  option. 
When  the  people  around  you— competitors,  colleagues,  partners— 
can  run  Google  searches  in  their  brains  during  conversations;  or  read 
documents  upside  down  on  a  desk  30  feet  away;  or  remember  exactly 
who  said  what,  when  and  where;  or  coordinate  meeting  tactics  tele- 
pathically;  or  work  forever  without  sleep;  or  control  every  device  on  a 
production  line  with  thought  alone,  your  only  probable  alternative  is 
to  join  them  or  retire.  No  corporation  could  ignore  the  competitive 
potential  of  a  neurotech-enhanced  workforce  for  long. 

Right  now,  the  only  people  thinking  about  transhumanism  are 
futurists,  ethicists  (such  as  Fukuyama)  and  researchers.  However,  if 
and  when  we  do  advance  into  this  technology,  several  management 
issues  will  also  need  attention. 

For  instance,  upgrade  management. 

From  a  purely  capitalist  point  of  view,  one  virtue  of  transhumanism 
is  that  it  incorporates  both  body  and  mind  into  the  continuous  upgrade 
cycle  that  characterizes  contemporary  consumption  patterns.  Once  a 
given  modification— such  as  a  cortical  display— is  successfully  invented, 
newer  and  better  ones  will  crop  up  on  the  market  every  year,  boasting 
lower  power  requirements,  higher  resolution,  hyperspectral  sensitiv¬ 
ity,  longer  mean  time  between  failures,  richer  recording,  sharing  and 
backup  features,  and  so  on.  Multiply  by  all  the  devices  embraced  by  the 
transhumanist  agenda,  and  it’s  clear  that  every  year  even  the  most 
financially  secure  users  will  be  forced  to  winnow  a  small  number  of 
choices  from  an  enormous  range  of  possibilities. 


Another  concern  could  be  digital  rights  management. 

When  brains  can  interact  with  hard  disks,  remembering  will  become 
the  equivalent  of  copying.  Presumably,  intellectual  property  produc¬ 
ers  will  react  with  the  usual  mix  of  policies,  some  generous,  some  not. 
Some  producers  will  want  you  to  pay  every  time  you  remember  some¬ 
thing;  others  will  allow  you  to  keep  content  in  consciousness  for  as  long 
as  you  like  but  levy  an  extra  charge  for  moving  it  into  long-term  mem¬ 
ory;  still  others  will  want  to  erase  their  content  entirely  as  rights  expire, 
essentially  inducing  a  contractually  limited  form  of  amnesia.  While  any 
one  of  these  illustrations  might  be  wrong  in  detail,  there  will  almost 
certainly  be  a  whole  range  of  intellectual  property  issues  and  compli¬ 
cations  that  will  need  to  be  managed. 

In  other  words,  it  looks  as  though  the  transhumanist  era  is  going  to 
present  a  host  of  problems  for  which  there  are  no  immediate  solutions. 
Consider,  for  example,  the  extremely  vexing  problem  of  neurosecurity. 

A  brain  running  on  a  network  will  obviously  be  an  extremely  attrac¬ 
tive  target  for  everyone  from  outright  criminals  to  bored  hackers  to 
spammers.  Why  worry  about  actually  earning  a  promotion  when  you 
can  just  write  a  worm  that  will  configure  your  superior’s  brain  so  that 
the  very  thought  of  you  triggers  his  or  her  pleasure  centers?  Why 
bother  with  phishing  when  you  can  direct  your  victims  to  transfer 
their  assets  straight  to  your  bank  account?  Why  tolerate  the  presence 
of  infidels  when  they  can  be  converted  to  the  one  true  faith  with  the 
push  of  a  button? 

Whom  Do  You  Trust?  Not  You 

Peter  Cassidy,  secretary  general  of  the  Anti-Phishing  Working  Group, 
is  one  of  the  few  analysts  thinking  about 
neurosecurity.  He  says  that  a  key 


Making  the  Head  Case 


THERE  ARE  THREE  ROADS  TO  NEUROTECH. 

The  first  is  smart  interfaces.  When  artificial  intelligence  researchers  finally  solve  the 
general  learning  problem,  it  will  be  possible  to  build  machines  that  learn  to  give  humans 
what  they  want  even  before  they  know  they  want  it.  This  route  is  the  least  invasive  but  is 
not  without  its  own  security  issues;  a  good  illustration  of  these  was  made  forcefully  by 
the  classic  science  fiction  movie  Forbidden  Planet,  in  which  this  very  technology  leaves 
its  inventors  fatally  vulnerable  to  attack  from  “monsters  from  the  id.” 

The  second  is  building  neurocomputers  and  neuronetworks  out  of  biological  ele¬ 
ments.  While  we  think  of  biology  as  a  chemical  medium,  in  fact,  it  offers  a  long  list  of 
electrical  and  electronic  properties  that  can  be  adapted  to  integrate  with  other  technolo¬ 
gies.  These  bioelectronic  materials  can  then  be  surgically  implanted  or  “grown”  through 
genetic  engineering. 

The  third  is  using  nanotechnology  to  upgrade  native  biology  with  better  materials  and 
designs,  such  as  using  nanotubes  to  make  faster  and  smaller  neurons,  or  enabling  the  body 
to  communicate  with  itself  via  a  wireless  LAN,  thus  dispensing  with  axons. 

All  these  roads  are  being  investigated  today  and  there  are  no  obvious  showstoppers  on  any  of 
them.  While  the  primary  incentive  for  this  work  is  advancing  the  treatment  of  conditions  such  as 
paraplegia  and  blindness,  neurotech  is  also  central  to  progress  in  basic  brain  research.  You  can 
only  learn  so  much  about  how  the  brain  works  by  listening  from  outside.  -F.H. 


& 


'*  ■»  ,  • 


-.V 

V-VT-- 


KM 

‘*sg 


!  - 


“Robby the 
Robot,”  from 
Forbidden 
Planet 


52  www.csoonline.com  January  2005 


PHOTO  BY  MPTV.COM 


Register  by  February  14  and  get  a 
Free  Expo  Pass  for  access  to  the 
expo  fioor  and  selected  keynotes. 


mm  %  m  :  mm. 

iformation.visitwww.rsacqnference.com' 
or  exhibit,  please  call  +1  (617)  848-8756  ■ 


THE  WORLD'S  LEADING  INFORMATION  SECURITY  CONFERENCE  A 


In  Prohibition-era  America, 
vast  bootlegger  syndicates 
smuggled  in  spirits  from 
the  Pacific  and  Atlantic. 

Their  offshore  fleets  used 
sophisticated  codes  and 
ciphers  to  encrypt  radio 
transmissions.  To  combat 
the  problem,  the  Coast 
Guard  called  in  Elizebeth 
Smith  Friedman  and  her  team 
of  federal  cryptanalysts  to 
decipher  messages  seized 
in  a  1931  New  Orleans  raid. 

In  the  end,  the  plaintext 
decryptions  led  a  grand  jury 
to  indict  35  rumrunners;  six 
bosses  and  smugglers  were 
convicted  and  sentenced  to 
prison  on  federal  conspiracy 
charges.  The  culture  of 
mobsters  and  speakeasies 
was  dealt  a  serious  blow. 

Code  making  and  breaking 
continue  to  play  a  crucial  role 
in  international  intelligence 
gathering,  law  enforcement 
and  global  trade.  Join  us 
at  RSA*  Conference  2005 
and  learn  new  ways  to 
protect  your  enterprise  from 
today's  information  security 
hoodlums,  or  secure  your 
application  from  a  new  breed 
of  hacker-bootleggers! 


Platinum 

Sponsors: 

)isco  Systems 

1 

Computer  Associates 

Microsoft 

^  Qualys 

S  EC  U  R  ITY‘ 

♦ Sun 

microsystems 

^  Symantec. 

TippingPoint 

> 

^riSign* 

Platinum 

Media 

Sponsor: 

JESSES; 

February  14-18  •  Moscone  Center  •  San  Francisco 


I? 


Join  the  best  and  the  brightest  in  the  security  industry  at  the 
largest  gathering  of  information  security  professionals  in  the  world. 


RSA^  Conference  2005  has  something 
for  everyone.  From  high-level  strategic  outlooks 
to  development  workshops,  from  implementation 
techniques  to  post-attack  forensics,  from 
competitive  industry  analyses  to  mathematics 
and  number  theory  ...  if  your  job  touches  security, 
you  need  to  be  at  this  Conference. 

•  10,000+  attendees  expected. 

•  Over  250  exhibitors. 

•  250  news  media  and  analyst 
organizations  expected  to  participate. 

•  A  class  schedule  of  200  workshops  and 
seminars  of  unparalleled  breadth  &  depth. 


RSA  Conference  2005  offers  class  sessions 
in  the  following  tracks: 


Register  today  at 

www.rsaconference.com 

[Enter  source  code  MGQ] 

DISCOUNT  DEADLINE 


Applied  Security 

Business  of  Security 

Cryptographers 

Developers 

Government 

Hackers  &  Threats 

Identity  &  Access 
Management 


Implemented 
Perimeter  Defense 
Privacy,  Law  &  Policy 
Professional  Development 
Secure  Web  Services 
Security  Solutions 
Standards 

Wireless  &  Embedded 


Register  by  January  14  and  Save 
$400  on  a  Full  Conference  Pass. 


For  more  ir 
To  sponsor 


■  ■ '  -  i  j  v:  ,  •  :V.i.»  1 

RSA,  the  RSA  Conference  logo  and  the  RSA  Security  logo  are  registered  trademarks  of  RSA  Security  Inc.  All  other  marks  are  trademarks  of  their  respective  companies.  ©  2004-2005  RSA  S 

■  -  ?  •  ■  •  ■  f ■■■■*'&$:$* 


•„  ,  ■  ■  '  V.  ■  S  i"  ■■■  - 

V  Security  Inc.  All  rights  reserved. 


The  Long  View 


problem  is  that  the  brain  appears  to  consider  itself  a  trusted  environ¬ 
ment.  When  brain  region  A  gets  a  file  request  from  region  B,  it  typi¬ 
cally  hands  over  the  data  automatically,  without  asking  for  ID  or 
imposing  more  than  the  most  minimal  plausibility  check.  It  is  true  that 
with  age  and  experience  our  brains  do  gradually  build  up  a  short 
blacklist  of  forbidden  instructions,  often  involving  particular  com¬ 
mands  originating  from  the  hypothalamus  or  adrenal  glands  (for 
example,  “bet  the  house  on  red,”  or  “pick  a  fight  with  that  bunch  of 
sailors”),  but  in  general,  learning  is  slow  and  the  results  patchy.  Such 
laxity  will  be  inadequate  in  an  age  when  brainjacking  has  become  a  per¬ 
fectly  plausible  form  of  sabotage. 

Cassidy  points  out  that  one  of  the  core  problems  in  neurosecurity  is 
defining  trusted  agents.  All  security  depends  on  the  concept  of  two 
trusted  parties  (a  trusted  identity  and  a  computer)  and  a  trust  applicant. 
The  neurosecurity  conundrum  is  that  it  mixes  all  these  identities  in  the 
same  brain.  It  forces  you  to  face  the  questions  of  when,  whether  and 
how  to  trust  yourself.  Still,  CSOs  and  CIOs  are  familiar  with  the  essence 
of  even  this  issue,  which  is  much  like  analyzing  the  problem  of  defend¬ 
ing  an  enterprise  against  an  internal  employee  who  has  gone  bad. 

One  possible  approach  to  neurosecurity  might  be  to  implant  a  pub¬ 
lic  key  infrastructure  in  our  brains  so  that  every  neural  region  can 
sign  and  authenticate  requests  and  replies  from  any  other  region.  A  sec¬ 
ond  might  be  maintaining  a  master  list  of  approved  mental  activities 
and  blocking  any  mental  operations  not  on  that  list.  (Concerns  about 
whether  the  list  itself  was  corrupted  might  be  addressed  by  refreshing 


learning  how  to  exploit  these  “monocultures.”  If  every  user  built  and  pro¬ 
grammed  his  computer  himself,  security  would  be  dramatically  easier. 
Brains  are  not  only  self-programming  but  self-organizing,  which  almost 
certainly  means  that  every  adult  brain  is  radically  different  from  every 
other.  In  the  terms  of  the  trade,  James  says,  “Brains  might  share  the 
same  kernel,  though  even  that  is  a  guess,  but  they  probably  run  differ¬ 
ent  services  and  have  different  programming  calls.”  This  diversity  might 
be  a  problem  for  neurotech  vendors  hoping  for  the  economies  of  mass 
production,  but  it  gives  CIOs  and  CSOs  lots  of  room  to  breathe. 

Second,  all  these  problems  are  not  going  to  be  dropped  in  our  lap 
at  once.  The  first  neurocomputational  products  will  probably  be 
thought-controlled  actuators.  Though  such  devices  might  show  up  in 
quite  a  range  of  environments— embracing  apps  from  wheelchairs  to 
body  extenders  to  computer  games  to  controlling  industrial  machin¬ 
ery— they  can  be  made  relatively  safe  by  keeping  the  data  traffic  one¬ 
way,  pushing  control  signals  out  through  the  electrodes  while  shunting 
feedback  through  the  physical  senses,  which  are  relatively  secure.  The 
machinery  itself  might  have  a  network  connection  (and  therefore  be 
subject  to  attack),  but  not  the  brains  of  its  operators. 

Security  issues  will  become  more  pressing  when  the  second  gener¬ 
ation  of  neurotech  products  arrive:  cortical  implants  allowing  sen¬ 
sors  and  data  stores  to  “print”  directly  to  consciousness.  (Much  of  the 
research  under  way  today  on  such  implants  can  be  characterized  as  fig¬ 
uring  out  how  to  write  a  consciousness  driver— such  as  a  driver  for  a 
printer  or  a  graphic  card— only  for  awareness.) 


The  fact  that  neurotech  will  almost  certainly 
be  wireless  will  just  add  to  the  security  headaches. 


the  list  constantly  from  implanted  and  presumably  unhackable  ROM 
chips.)  It  might  also  be  necessary  to  outsource  significant  fractions  of 
our  neural  processing  to  highly  secure  computing  sites.  In  theory, 
such  measures  might  improve  on  the  neurosecurity  system  imposed  on 
us  by  evolution,  making  us  less  vulnerable  to  catchy  tunes  and  empty 
political  slogans. 

New  Security  Horizons 

Lance  James,  CSO  of  Secure  Science,  a  security  services  company,  is 
working  on  a  book  on  the  security  aspects  of  neuronetworking.  He 
observes  that  engineering  research  on  this  topic  is  going  to  be  harder 
than  conventional  security  research,  which  of  course  has  not  com¬ 
pletely  cleared  its  own  agenda.  Conventional  networking  allows 
researchers  to  launch  experimental  attacks  on  simulated  networks 
that  are  indistinguishable  from  the  real  thing.  Simulated  minds  are 
nowhere  on  the  horizon,  which  means  that  neurosecurity  engineers  are 
going  to  have  to  work  on  real  brains.  This  is  likely  to  be  awkward,  as 
volunteers  will  be  few.  And  the  fact  that  neurotech  will  almost  certainly 
be  wireless  (The Matrix  notwithstanding,  people  are  not  going  to  walk 
around  with  open  brain  sockets)  will  just  add  to  the  security  headaches. 

However,  James  continues,  the  news  is  not  all  bad.  A  large  fraction 
of  today’s  computer  network  security  problems  can  be  attributed  to  the 
uniformity  of  our  hardware  and  software.  Hackers  do  their  damage  by 


Fortunately,  the  first  generation  of  these  devices  will  probably  be 
electronic  eyes  for  the  blind,  a  function  that  does  not  require  Internet 
connectivity.  From  there,  however,  it  is  just  a  step  (conceptually,  at 
least— the  engineering  itself  is  another  question)  to  a  device  that  accepts 
any  feed  at  all,  from  infrared  cameras  to  television  programming.  Once 
at  that  point,  the  demand  for  some  sort  of  connectivity  will  become 
intense.  Who  wouldn’t  want  to  be  able  to  read  their  e-mail  (or  watch  The 
Sopranos )  while  pretending  to  listen  to  a  boring  presentation? 

CISOs  have  been  urging  users  to  take  security  seriously  for  decades, 
to  not  use  “PASSWORD”  for  their  passwords,  to  be  careful  where  they 
find  their  wireless  access  points  and  to  use  firewalls.  By  and  large, 
they  have  enjoyed  mixed  results.  Perhaps  the  advent  of  neuronet¬ 
working  will  encourage  people  finally  to  take  these  cautionary  proce¬ 
dures  seriously. 

But  probably  not.  ■ 

Fred  Hapgood  is  a  freelance  writer  based  in  Boston.  Send  feedback  to  mccreary@cxo.com. 


Rise  of  the  Machine  Shop 


He  hasn't  tackled  neurotech  yet  (give  him  time),  but  CSO  columnist  Simson  Garfinkel  has 
a  firm  grasp  on  much  of  today’s  security  technology.  Read  his  hype-busting  analysis  of  the 
next  big  security  things  in  Machine  Shop.  Go  to  www.csoonline.com/printlinks. 


54  www.csoonline.com  January  2005 


V TF7 


INTRODUCING  THE  BOSE®  WAVE®  MUSIC  SYSTEM 

PERFORMANCE  everyone  can  recognize. 

SIMPLICITY  everyone  can  appreciate. 

ELEGANCE  that  speaks  for  itself. 


ITS  HERITAGE  Popular  Science  called  the  original  Bose  Wave®  Tpiliii^ 

radio  "a  sonic  marvel."  The  Chicago  Tribune  said  its  sound  was 

"superb."  And  Forbes  ASAP  magazine  placed  it  on  their  "All-Time  ' 

A-List"  of  technology  breakthroughs  that  have  changed  the  world.  Now, 

the  award-winning  predecessor  has  been  engineered  to  a  new  standard  of  performance,  simplicity,  and  elegance 

ITS  NEW  PERFORMANCE 

•  Reproduces  one-half  octave  lower  musical  notes. 

•  Produces  even  greater  instrument  clarity  and  definition. 

•  Plays  the  newer  MP3  CDs  as  well  as  conventional  CDs  and  of  course,  FM/AM 
radio.  (MP3  CDs  can  contain  as  many  as  ten  standard  CDs  on  just  one  disc.) 

•  David  Novak,  the  Gadget  Guy,  says,  "It  can  easily  replace  whatever  component 
system  you  currently  have." 

ITS  NEW  SIMPLICITY 

•  No  buttons!  It  is  completely  and  conveniently  controlled  by  a  small,  elegant  remote  control. 

ITS  NEW  ELEGANCE 

•  The  original  model  has  been  repeatedly  praised  for  its  distinctive  design.  The  new  model  has  carried  this 
design  to  an  unprecedented  level  with  the  absence  of  all  buttons. 

•  A  thin,  slot-loaded  CD  player  replaces  the  previous  top  door  mechanism. 

NEW  BOSE  PAYMENT  PLAN  AND  A  30-DAY  EXCITEMENT  GUARANTEE.  Use  your  own 
major  credit  card  to  make  a  low  down  payment  and  1 1  convenient  monthly  payments,  with  no  interest 
charges  from  Bose.*  Our  Excitement  Guarantee  lets  you  experience  the  new  Wave®  music  system  for  30  days 
risk  free.  During  this  trial  period  please  compare,  side  by  side,  the  sound  to  that  of  larger  and  more  expensive 
sound  systems  owned  by  you  or  your  friends.  You  will  appreciate  our  request  when  you  make  this  comparison. 


FREE 

shipping  with 
your  order. 


TO  ORDER  OR  FOR  INFORMATION  CALL 

1-800-400-3416,  ext.  TF714 

Discover  all  our  innovative  products  at 

www.bose.com/tf714 


‘Bose  payment  plan  available  on  orders  of  $299-$1 500  paid  by  major  credit  card.  Down  payment  is  1/12  the  product  price  plus  tax.  Then,  your  credit  card  will  be  billed  for  11  equal  monthly 
installments  with  0%  APR  and  no  interest  charges  from  Bose.  Credit  card  rules  and  interest  may  apply.  U.S.  residents  only.  Limit  one  active  financing  program  per  customer.  ©2004  Bose 
Corporation.  Patent  rights  issued  and/or  pending.  The  distinctive  design  is  also  a  registered  trademark  of  Bose  Corporation.  Financing  and  free  shipping  offer  not  to  be  combined  with 
other  offers  or  applied  to  previous  purchases,  and  subject  to  change  without  notice.  Risk  free  refers  to  30  day  trial  only.  Delivery  is  subject  to  product  availability.  Quotes  are  reprinted 
with  permission:  Marcelle  M.  Soviero,  Popular  Science.  12/93;  Rich  Warren,  Chicago  Tribune,  8/27/93;  rnnx.ASAP  (in  reference  to  the  original  Wave'  radio),  11/27/00 


CSO  Undercover 


Why  Convergence 
Is  Elusive 

Last  month,  CSO’ s  editor  asked  why  CSOs  can't  all  just 
get  along  in  a  world  of  converged  security  management. 
The  problem  is  that  we’ve  got  to  raise  our  profiles  in  the 
corporate  world  first.  By  Anonymous 


HE  TROUBLE  WITH  READING  is  you  may  get  invigorated. 

Last  month,  I  read  Editor  in  Chief  Lew  McCreary’s  letter  to  readers.  In  it,  he 
places  a  fundamental  challenge  on  the  table:  “As  security  continues  its  evolutionary 
path  toward,  we  believe,  a  converged  model  of  governance— the  blissful  state  of 
unification  between  infosec  and  traditional  disciplines— it  still  founders  on  unpro¬ 
ductive  mistrust  and  legacy  attitudes.” 

That  statement  was  enough  for  an  entree, 
but  then  came  this  question  for  dessert:  “If 
security  governance  is  largely  a  matter  of  risk 
management,  shouldn’t  there  be  an  insatiable 
hunger  among  all  security  executives  for  insight 
into  the  unaddressed  risks  of  infosecurity?” 

As  someone  who  understands  concepts  such 
as  “unproductive  mistrust”  and  “legacy  atti¬ 
tudes,”  let  me  offer  a  contrarian  view. 

First,  the  question.  Any  CSO  worthy  of  the 
title  would  have  to  have  an  “insatiable  hunger 
for  insight  into  unaddressed  risks.”  But  what 
risks?  I  have  a  list  of  600-plus  risks  that  require 
some  measure  of  analysis  and  safeguard.  Are 
these  the  same  for  my  colleague  in  a  different 
industry?  No!  While  we  have  shared  concerns, 
from  personnel  background  checks  to  the  pro¬ 
tection  of  assets,  I  would  quarrel  with  a  com¬ 
mon  set  of  risks  that  confront  all  businesses. 

Each  CSO  has  a  specific  set  of  risks  and  respon¬ 
sibilities  based  on  his  circumstances. 

In  many  places,  risk  to  information  is  not  the 
security  issue  that  keeps  top  management  (and  therefore  their  CSOs)  awake  at 
night.  Business  is  too  diverse,  and  the  franchise-threatening  list  of  unmentionables 
is  all  over  the  map. 

Consider  that  map  for  a  moment.  There  are  99  major  industrial  groups— from 
manufacturing  to  services  to  public-sector  agencies— in  the  U.S.  government’s 
industrial  classification  system.  It  maybe  said  that  there  is  little  in  common  in  the 
way  the  thousands  of  entities  in  each  of  these  groups  approach  security  (if  such  a 
function  even  exists).  Each  handles  the  perception  and  management  of  risks 


according  to  its  priorities.  Information  is  likely  precious 
to  all  of  them,  yet  many  manage  their  risk  exposure  with 
relatively  mundane  security  practices.  Fiduciary  respon¬ 
sibilities  and  shareholder  expectations  drive  others  to 
devote  significant  resources  to  information  protection. 

I  agree  with  the  generalization  that  “security  gover¬ 
nance  is  largely  a  matter  of  risk  management.”  But  who’s 
defining  governance?  Sarbanes-Oxley  has  largely  defined 
the  corner  office  players  in  corporate  governance.  The 
truly  converged  or  “full  service”  security  program— one 
that  constantly  works  on  business  conduct  investigations, 
due  diligence  efforts,  background  checks,  intellectual 
property  protection  and  other  reputation-protection  func¬ 
tions— can  do  a  better  job  mitigating  risks  than  the  audit 
group  or  other  designated  hitters  in  corporate  gover¬ 
nance,  who  typically  enter  the  picture  periodically. 

Where  is  security’s  importance  recognized  in  the  vol¬ 
umes  of  recent  academic  discovery  on  corporate  integrity? 
Where  is  security’s  role  acknowledged  as  part  of  the  man¬ 
agement  lexicon  on  governance?  Shouldn’t  we  find  evi¬ 
dence  of  shared  ownership  of  security  risk  in  newly 
energized  governance  models?  Have  we  CSOs  established 
a  pattern  of  linked  threats,  vulnerabilities,  risks  and  coun¬ 
termeasures  to  drive 
corporate  risk  man¬ 
agement  models? 
Selectively,  yes.  But 

////  mmm  i  generally,  no.  We  have 

a  lot  of  work  to  do. 


s'; 


In  Search  of 
Convergence 

The  editor’s  letter  also 
asserts  that  there’s  an 
“evolutionary  path 
toward  a  converged 
model  of  governance.” 
What  is  this  nirvana, 
this  “blissful  state  of 
unification”? 

Just  for  the  record, 
I  have  served  in  both 
types  of  models:  unifi¬ 
cation  and  grieving 
separation.  The  first 
was  a  converged,  wholly  integrated  security  program;  the 
second  was  a  more  balkanized  place,  where  information 
security  was  initially  split  between  risk  and  CIO— and 
later  brought  totally  under  the  CIO.  (Corporate  Security 
retained  its  cyberforensic  and  investigative  missions  in 
both  models.)  Honesty  compels  me  to  say  that  I’d  opt  for 
the  former  model.  It’s  a  situation  in  which  the  information 
and  technical  environments  are,  shall  we  say,  more  data 


56  www.csoonline.com  January  2005 


ILLUSTRATION  BY  ISABELLE  ARSENAULT 


integrity  tranquil  and  less  risk  averse.  When 
the  enterprise  rises  or  falls  on  zero  downtime, 
strict  confidentiality  and  flawless  data 
integrity,  I’m  very  happy  to  have  my  CIO  col¬ 
league  own  information  risk  management. 
(Believe  me,  when  it  really  hits  the  fan,  prox¬ 
imity  has  its  liabilities.)  Having  “security”  as 
our  priority  mission,  do  we  share  ownership 
for  what  just  stuck  to  the  fan?  You  bet.  But, 
like  I  said  earlier,  risk  is  relative. 

So  what  are  we  converging  here?  Remem¬ 
ber,  there’s  a  bigger  picture  involved  than 
the  security  function.  I’m  still  hung  up  on 
the  lack  of  progress  in  converging  security 
into  the  larger  corporate  governance  scheme, 
not  merely  a  converged  assemblage  of  secu¬ 
rity  parts.  What  is  the  embarkation  point  for 
this  evolutionary  path?  Should  the  incre¬ 
mental  steps  begin  at  the  bottom,  with  secu¬ 
rity  pushing  its  way  in?  Or  from  the  top, 
launched  as  an  epiphany  from  the  CEO? 

There  are  signs  of  life.  I’m  encouraged  that 
a  number  of  my  CSO  colleagues  are  taking  on 
new  duties  associated  with  a  redefined  notion 
of  corporate  governance  (often  not  including 
infosec),  but  I  worry  about  the  shelf  life  of 
these  limited  steps.  We  really  need  to  pene¬ 
trate  MBA  programs,  question  the  limited 
scope  of  established  risk-management  con¬ 
cepts  and  better  advertise  what  we  bring  to 
the  governance  table.  We  are  making  selec¬ 
tive  inroads  with  our  security  colleagues,  but 
not  with  our  senior  management  clientele. 

Recalling  the  frequent  diatribes  between 
infosec  and  “traditional”  security  executives 
(let’s  call  them  “generalists”),  I  can’t  blame 
McCreary  for  seeing  mistrust  and  legacy  atti¬ 
tudes  as  barriers  to  a  convergence  of  security 
missions.  He  bemoans  the  “way  too  many 
snarky  rejoinders  tossed  across  the  divide 
between  traditional  and  infosec  camps.  And 
camps  are  apparently  what,  too  often,  they 
are.  Can  someone  please  explain  to  me  why 
this  is?”  Let  me  give  that  a  try. 

History  Channel 

Twenty  or  30  years  ago,  much  of  our 
approach  to  information  protection  was  cen¬ 
tered  on  physical  and  operational  security. 
Look  at  the  Department  of  Defense  or  the 
protection  of  corporate  trade  secrets.  Picture 
confidential  media  stored  in  file  cabinets 
within  limited-access  rooms  equipped  with 


alarms  and  highly  structured  procedures. 

Today’s  prevalent  organizational  model 
reflects  the  growth  of  information  security 
within  the  IT  group  as  data  went  virtual  and 
threats  to  information  assets  grew  exponen¬ 


tially.  Physical  and  operational  security 
became  service  providers.  If  there  is  a  sepa¬ 
rate  camp  philosophy,  it  reflects  short¬ 
sighted  risk  analyses  and  a  lack  of  managerial 
initiative  to  develop  an  integrated  strategy. 

Is  mistrust  a  product  of  being  in  different 
camps  or  of  culture  and  design?  CSO  gener¬ 
alists  come  from  vastly  different  backgrounds 
than  their  CISO  counterparts.  The  vocabu¬ 
lary,  the  competencies,  the  expectations  of 
their  bosses  on  what  risks  to  address,  and 
the  whole  notion  of  the  threat  (the  adver¬ 
sary)  differ,  often  dramatically.  Generalists 
deal  with  a  diverse  risk  environment,  while 
CISOs  tend  to  work  within  a  more  pre¬ 
dictable  and  highly  structured  technical  envi¬ 
ronment.  In  many  organizations,  you’ll  find 
some  jealousy  when  IT  security  salaries  are 
compared  by  non-IT  security  personnel. 

Look  at  the  actuary  tables  on  many  of 
today’s  CSOs.  As  this  group  retires,  it  will  be 
interesting  to  see  how  the  emerging  genera¬ 
tion  of  security  generalists  will  approach 
information  security  given  their  grounding  in 
day-to-day  use  of  the  technology.  (It  is  a 
daunting  task  for  those  of  us  who  grudgingly 
met  computers  late  in  life.) 

Sure,  both  camps  have  silly  and  ignorant 
perceptions  along  with  the  occasional  snarky 
rejoinder.  The  ex-cop  who  sees  geeks  speak¬ 
ing  in  tongues.  The  technically  arrogant 
CISO  who  believes  those  knuckle-draggers 
are  qualified  only  to  handle  the  confidential 
trash.  Real  CSOs  take  risk  seriously,  regard¬ 
less  of  its  source. 

We’re  All  Hungry  for  Information 

At  day’s  end,  it’s  the  notion  of  information 
integrity  and  how  we  rate  the  criticality  of 
information-based  assets  that  tends  to  sepa¬ 
rate  or  meld  the  camps  rather  than  trust  or 


turf.  Where  information  is  king,  the  crown 
prince  is  the  CIO.  A  compelling  accounta¬ 
bility  rationale  is  made  by  IT  professionals 
that  much  of  information  security  is  plat¬ 
form-  and  application-based,  with  a  heavy 


dose  of  policy  compliance  by  individuals  with 
access.  If  a  critical  system  or  process  tips  over 
due  to  a  breach,  more  often  than  not  it’s  the 
CIO/CISO  who  is  on  the  carpet.  While  not 
blissful,  perhaps  we  have  convergence  if  the 
CSO  is  standing  tall  there  beside  them. 

Don’t  get  me  wrong.  I’m  one  of  these  read¬ 
ers  who  is  very  happy  with  this  journal.  CSO 
has  raised  the  bar  on  discussion  of  security 
management  issues.  And  especially  over  the 
past  year-plus,  it  has  given  more  balance  and 
coverage  to  noninfosecurity  topics.  That 
desire  for  balance  is  another  reflection  that 
information  security  is  but  one  set  of  chal¬ 
lenges,  and  maybe  not  the  most  pressing  for 
some  CSOs. 

What  are  we  to  do  with  the  idea  of  a  bliss¬ 
ful  state  of  unification?  Does  unification 
mean  one  point  of  accountability  for  all 
things  security?  Or  is  it  achieved  in  a  holis¬ 
tic  strategy  that  addresses  risk-ranked  pri¬ 
orities?  I  don’t  think  that  governance  or 
convergence  are  McCreary’s  real  issues.  More 
important  is  understanding  an  organization’s 
risks,  and  then  engaging  everyone  w'ho  can 
contribute  to  managing  them  cost  effectively. 

Of  course,  all  security  executives  should 
thirst  for  insight  into  the  unaddressed  risks 
of  infosecurity.  Risk  analysis  is  about  identi¬ 
fying  unaddressed  vulnerabilities,  the  CSO’s 
principal  stock  in  trade.  If  a  company  rises  or 
falls  on  the  integrity  of  its  infosec  program,  I 
have  to  assume  a  thoughtful  risk  manage¬ 
ment  strategy  has  connected  these  dots.  And 
any  security  element  that  could  contribute  to 
bulletproof  protection  will  be  at  the  table, 
sharing  its  hunger  for  answers  with  fellow 
governance  stakeholders.  9 

This  column  is  written  anonymously  by  a  real  CSO.  Send 
your  comments  via  e-mail  to  csoundercover@cxo.com. 


We  need  to  penetrate  MBA  programs 
and  better  advertise  what  CSOs  can  do. 


January  2005  www.csoonline.com  57 


What  Keeps  the  CSO  Up  At  Night? 

Connecting  security  solutions  to  business  realities  is  central  to  the  CSO  role.  They  must 
understand  what  risk  means  to  their  company  and  how  to  balance  that  risk  with  business 
opportunity.  After  all  the  CSO  is  responsible  for  all  aspects  for  the  company’s  security  but  is 
also  a  business  executive  with  an  eye  on  the  bottom  line. 


CEO:  wants  the  company’s  employees,  assets  and  information 
protected  without  compromising  the  ability  and  agility  to  capitalize 
on  business  opportunities 


CSO:  connecting  all  aspects  of  physical  and  information  security 
with  business  realities,  partnering  with  executive  peers  and 
communicating  risks  and  solutions  throughout  the  company 


CSO  is  the  preferred  resource  catering  to  the 

expanding  information  needs  of  today’s  strategic 
security  executives.  CSO  provides  CSOs  with  the 
resources  they  need  to  make  their  companies  secure 
and  competitive  in  today’s  ever  changing  business 
environment. 

CSO  readers  are  responsible  for: 


IT  Security 

70% 

. 

Compliance  and  Business  Conduct 

42% 

Traditional  Security  (physical  security. 

32% 

facilities  security  and  investigations) 

Source:  CSO  Magazine  Security  Sensor'”.  December  2004 
CSO  IS  A  PRODl  C  T  LINK  OF  CXO  MEDIA  INC.  AN  IDG  COMPANY 


CSO 

The  Resource  for 
Security  Executives 


Security  flaws  in  high-profile  products  like  Microsoft’s  Passport  led  experts  and  vendors  to 

find  new  ways  to  disclose  bugs  By  Simson  Garfinkel 


LITTLE  MORE  THAN  A  YEAR 
ago,  a  company  that  I’m  involved  with  found 
a  serious  flaw  with  Microsoft  Passport. 

Microsoft  Passport,  for  anyone  not  in  the 
know,  is  Microsoft’s  highly  promoted  identity 
management  and  single  sign-on  system. 
Instead  of  having  one  password  for  the 
Microsoft  Developer  Network,  another  pass¬ 
word  for  Hotmail  and  another  password  for 
Microsoft  Messenger,  all  of  these  services  are 
tied  together  with  a  single  common  data¬ 


base.  Log  in  to  one  system,  and  you’ve  logged 
in  to  them  all.  In  theoiy,  this  makes  the  over¬ 
all  process  easier  for  users,  since  there  is  only 
one  ID  and  password  to  remember,  and 
more  secure,  since  it  is  easier  to  debug  and 
audit  one  system  as  opposed  to  many. 

Microsoft  has  adopted  Passport  internally 
for  most  of  its  products  that  need  to  identify 
users— things  such  as  Windows  Media 
Player.  Microsoft  has  also  encouraged  other 
companies  to  adopt  Passport  as  their  back¬ 


end  authentication  system.  The  biggest  com¬ 
pany  that  has  jumped  onboard  so  far  is  eBay, 
which  allows  you  to  sign  in  using  either  an 
eBay  ID  or  a  Passport  ID. 

The  problem  that  the  company  discovered 
had  to  do  with  the  way  the  Windows  XP 
Registration  Wizard  used  Microsoft  Pass¬ 
port  to  register  new  copies  of  Windows  when 
they  were  first  loaded.  Instead  of  communi¬ 
cating  with  the  Passport  servers  over  an 
encrypted  SSL  channel,  as  Microsoft  claimed, 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


January  2005  www.csoonline.com  59 


much  of  the  information  was  being  sent 
without  encryption. 

Because  Passport  is  so  widely  used,  the 
bug  was  significant.  By  sniffing  the  packets 
on  a  local  area  network  or  an  ISP,  an  attacker 
could  learn  the  ID  and  password  of  any  per¬ 
son  registering  a  new  copy  of  Windows  XP. 
What’s  more,  because  the  registration  was 
done  in  a  Wizard  program— rather  than  in  a 
traditional  Web  browser— there  was  no  tell¬ 
tale  “https,”  meaning  there  was  no  easy  way 


for  people  to  know  the  information  was  being 
sent  without  encryption. 

Passport  vulnerabilities  have  been  big 
news  in  the  past:  People  who  have  found 
them  have  made  the  front  page  of  The  New 
York  Times.  Microsoft  then  scrambled  to  fix 
the  problem,  while  individuals  and  organi¬ 
zations  using  the  system  were  left  in  the 
lurch.  The  problem,  of  course,  is  that  it’s  hard 
to  stop  using  Passport.  But  once  the  vulner¬ 
ability  is  known,  the  black  hats  are  free  to 
start  exploiting  it.  And  once  they  know  where 
to  look,  more  vulnerabilities  might  be  found. 

Bug  hunters  weren’t  always  so  fast  to  dis¬ 
close  vulnerabilities.  When  I  started  writing 
about  computer  security  15  years  ago,  such 
disclosures  were  widely  seen  as  irresponsible 
and  dangerous.  Back  then,  newly  discovered 
vulnerabilities  were  shared  with  a  few  trusted 
security  professionals  and  communicated  to 
the  vendor  or  software  developer.  The  idea 
was  to  give  those  most  affected  the  opportu¬ 
nity  to  immediately  protect  themselves  and 
give  the  company  time  to  develop  a  fix  before 
the  problem  was  widely  known.  Frequently 
there  was  no  “patch”  issued  at  all;  the  fix  for 
the  security  problem  was  simply  folded  into 
the  next  software  release. 

The  Problem  with  Selective 
Disclosure 

There  was  just  one  problem  with  this  careful 
approach  to  vulnerability  disclosure:  Many 


security  vulnerabilities  never  got  fixed  at  all. 
Uninformed  that  the  new  releases  actually 
contained  security  fixes,  many  users  didn’t 
bother  upgrading— especially  users  running 
mission-critical  systems  that  couldn’t  afford 
any  downtime.  Even  worse,  many  software 
vendors  simply  didn’t  fix  the  security  prob¬ 
lems  that  were  brought  to  their  attention. 
After  all,  why  should  they?  The  typical  appli¬ 
cation  or  operating  system  has  many  security 
vulnerabilities— some  of  which  are  known 


publicly,  some  of  which  are  known  internally 
and  most  of  which  are  undiscovered.  Why 
fix  a  vulnerability  that’s  being  kept  secret? 

As  the  1990s  unfolded,  we  learned  another 
reason  why  selective  disclosure  didn’t  work: 
Increasingly,  the  people  who  were  discover¬ 
ing  security  vulnerabilities  weren’t  part  of 
the  privileged  cabal  of  computer  security 
researchers  and  practitioners;  they  were  stu¬ 
dents,  “reformed  hackers,”  independent  con¬ 
sultants  and  even  journalists.  Time  and 
again,  I  would  hear  stories  of  people  who 
had  sent  e-mail  to  a  company,  reporting  a 
vulnerability  they  had  discovered  and  then 
got  nothing  back,  not  even  a  “thank  you.” 

How  frustrating.  And,  as  far  as  the  com¬ 
panies  were  concerned,  how  tremendously 
shortsighted. 

Thus  was  born  the  idea  of  full  disclosure. 
Mailing  lists  such  as  Bugtraq,  the  sole  pur¬ 
pose  of  which  was  to  allow  this  new  breed  of 
researchers  to  exchange  red-hot  vulnerabil¬ 
ity  information,  sprung  into  existence.  Com¬ 
puter  vendors  were  welcome  to  monitor 
Bugtraq  to  learn  about  vulnerabilities  in  their 
products— or  in  the  products  of  their  com¬ 
petitors.  Of  course,  the  bad  guys  subscribed 
to  Bugtraq  as  well— so,  too,  did  a  number  of 
highly  placed  journalists.  Thus  began  the  era 
of  disclosures  being  published  on  the  front 
page  of  newspapers,  followed  by  hectic  days 
of  patch-or-be-hacked.  And  all  too  often,  the 
important  disclosures  were  almost  invari¬ 


ably  followed  by  a  new  round  of  computer 
worms  or  viruses  that  took  advantage  of  the 
disclosures. 

Disclosures  that  showed  up  on  Bugtraq 
weren’t  just  about  new  buffer  overflows; 
sometimes  the  bugs  were  with  e-commerce 
shopping  cart  software— bugs  that  would 
allow  a  knowledgeable  attacker  to  get  prod¬ 
ucts  for  free,  or  even  to  execute  commands  on 
the  shopping  cart’s  server  and  steal  credit 
card  numbers.  The  most  prestige  went  to  peo¬ 
ple  who  posted  notices  with  so-called  “exploit 
scripts,”  usually  a  small  program  that  both 
demonstrated  the  bug  and  allowed  an 
attacker  to  break  in  to  the  remote  system. 

In  many  cases,  there  was  no  obvious  pub¬ 
lic  interest  served  in  the  public  disclosure. 
Sure,  the  person  who  found  the  bug  got 
credit,  but  merchants  relying  on  the  products 
were  frequently  hurt.  This  was  evident  when 
the  exploits  discovered  were  with  orphaned 
products  made  by  companies  that  were  hav¬ 
ing  financial  problems  or  had  gone  out  of 
business.  Yes,  the  merchants  relying  on  these 
products  need  to  find  solutions.  But  widely 
posting  such  vulnerabilities  probably  did 
more  harm  than  good. 

The  Importance  of  Full  Disclosure 

These  days  the  pendulum  is  swinging  toward 
a  middle  ground  called  responsible  disclo¬ 
sure.  People  and  companies  that  find  security 
vulnerabilities  are  supposed  to  notify  the 
company  in  question  about  their  discovery 
and  start  a  clock.  The  company  has  30  days 
to  confirm  the  vulnerability,  come  up  with  a 
patch  and  distribute  that  patch  to  its  users.  If 
the  company  isn’t  responsive,  the  theoiy  goes, 
then  the  bug  hunter  has  not  just  a  right  but 
a  duty  to  publicly  disclose  the  vulnerability  in 
an  effort  to  both  light  a  fire  under  the  vendor 
and  warn  users. 

These  guidelines  have  been  agreed  upon 
by  a  consortium  called  the  Organization  for 
Internet  Safety  (OIS,  www.oisafety.org).  The 
consortium  includes  software  publishers 
such  as  Microsoft  and  The  SCO  Group  and 
bug-hunters  such  as  @Stake,  Foundstone, 
Internet  Security  Systems  and  Symantec.  The 
hope  is  that  agreed-upon  ground  rules 
should  bring  stability  to  the  hectic  world  of 
vulnerability  disclosure. 

The  whole  question  of  vulnerability  dis¬ 
closure  is  one  that  most  CSOs  will  have  to 


Years  ago,  disclosures  about  software 
vulnerabilities  were  shared  with  a  few 
trusted  professionals.  There  was  just  one 
problem:  Many  bugs  never  got  fixed. 


60  www.csoonline.com  January  2005 


wrestle  with  from  time  to  time.  The  most 
obvious  reason  is  that  a  CSO  needs  to  know 
when  new  vulnerabilities  are  disclosed  in 
products  that  his  organization  is  using.  For 
this  reason,  it  makes  sense  to  have  at  least 
one  person  in  your  shop  monitoring  mailing 
lists  such  as  Bugtraq  and  Full-Disclosure.  The 
person  should  also  do  regular  Web  searches 
of  product  names  and  release  numbers,  just  to 
keep  tabs  on  the  “chatter”  surrounding  your 
organization’s  infrastructure  investment. 

But  another  reason  that  disclosure  proto¬ 
cols  affect  CSOs  is  that  a  CSO  is  likely  to 
encounter  security  vulnerabilities  as  well.  In 
these  cases,  the  CSO  needs  to  know  what  to 
do  with  this  information— whom  to  tell,  how 
to  tell  and  how  to  manage  the  flow  of  infor¬ 
mation. 

Follow  Disclosure  Guidelines 

It  makes  good  sense  for  CSOs  to  be  familiar 
with  the  OIS  disclosure  guidelines.  Although 
nothing  makes  these  guidelines  sacrosanct, 
they  do  reflect  a  lot  of  hard  work  from 
respected  people  and  organizations  familiar 
with  disclosure  problems.  If  I  were  CSO  at  a 
major  corporation,  I  would  be  hard-pressed 
to  find  a  reason  to  implement  a  policy  that 
was  fundamentally  different  from  what  the 
OIS  is  proposing. 

That’s  what  my  company  did:  Following 
the  responsible  disclosure  guidelines,  we  con¬ 
tacted  Microsoft.  Following  the  guidelines, 
the  company  took  us  quite  seriously.  In  fact, 
Microsoft  said  the  problem  was  a  minor  con¬ 
figuration  on  one  of  the  Passport  Web 
servers.  A  few  days  later,  the  problem  was 
fixed.  We  didn’t  get  any  glory,  but  we  received 
a  very  nice  box  of  Microsoft  warm-up  jackets 
in  the  mail  as  a  kind  of  tangible  “thank  you.” 

It’s  important  to  remember  that  the  dis¬ 
closed  vulnerabilities  represent  only  a  tiny 
fraction  of  the  vulnerabilities  that  are  in  any 
given  piece  of  software.  Any  program  that’s 
sufficiently  complex  will  have  security  prob¬ 
lems.  Ultimately,  what  makes  a  security  dis¬ 
closure  something  that  you  need  to  act  upon 
is  that  other  people  know  about  it.  You  will 
always  have  vulnerabilities.  If  nobody  knows 
about  them,  you’re  relatively  safe. 

Isn’t  that  a  comfortable  thought?  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  in  the 
Boston  area.  He  can  be  reached  at  machineshop@cxo.com. 


Putting  Out 
Fires 

It  wasn’t  your  typical  vendor  meeting,  reports  a  CSO 
colleague  of  mine.  Instead  of  trying  to  get  his  arms 
around  another  new  firewall  or  identity  management 
application,  he  watched  as  Joe  Ziemba,  product  man¬ 
ager  of  engineered  systems  at  Tyco  Fire  and  Security, 
poured  watery-looking  liquid  over  his  laptop  key¬ 
board.  Two-thousand  dollars  down  the  drain?  Nope. 
The  liquid  evaporated  instantly  with  no  damage  to  the 
computer.  Then,  he  held  a  container  of  some  of  the 
liquid  next  to  a  lit  candle.  The  vapor 
from  the  liquid  snuffed  out  the  flame. 

Pretty  cool  stuff. 

The  cool  stuff  in  question  is  a  fire 
suppression  system  called  Sapphire, 
from  Tyco’s  Ansul  division.  Sapphire  is 
a  “clean  agent,"  which  means  it  can  put 
out  fires  without  harming  electronic 
equipment  or  other  items  that  might  be 
damaged  from  the  activation  of  a  water 
sprinkler  system.  Think  about  a  computer  room;  if  a 
sprinkler  system  goes  off  and  floods  the  servers  and 
cables,  that’s  one  heck  of  a  loss.  Clean  agents  help 
minimize  that  risk. 

Halon  Gets  the  Boot 

Clean  agents  have  been  around  for  decades.  The 
most  widely  used  one  over  the  years  has  been 
Halon  1301.  However,  halons  were  found  to  harm  the 
ozone  layer  and,  under  the  Montreal  Protocol  of  1987 
(which  the  United  States  signed  on  to),  developed 
countries  were  required  to  phase  out  production  of 
those  gaseous  agents  by  1994.  (The  United  States 
currently  has  no  phase-out  requirement  for  existing 
halon  systems.) 

Newer,  more  environmentally  friendly  agents 
appeared  on  the  scene  in  the  early  1990s,  including 
FM-200  (from  Great  Lakes  Chemical  Corp.)  and 
Inergen  (also  an  Ansul  product),  both  of  which 
became  popular  replacements  for  halon  systems. 

Mew  Suppressant 
on  the  Block 

Sapphire  is  the  latest  iteration  in  clean  agent  technol¬ 
ogy.  It  uses  Novec  1230,  a  fluid  manufactured  by  3M, 
which  will  not  damage  the  ozone  layer  and  has  an 
atmospheric  lifetime  of  just  five  days— that  is,  it 
will  remain  in  the  atmosphere  for  five  days,  then 
disappear.  (By  contrast,  halon  has  a  lifetime  of 
65  years.) 

Sapphire  works  like  other  clean  agent  systems, 
which  are  also  known  as  total  flooding  systems.  They 


are  designed  to  detect  fires  before  they  ignite,  using 
sensors  that  sense  changes  in  temperature  or  smoke. 
If  a  system  observes  a  problem,  agents  are  released 
in  gaseous  form  through  fixed  nozzles  located  in  the 
ceiling,  walls  or  under  the  floor. 

Novec  1230  (a  fluoroketone,  for  any  chemistry 
majors  out  there)  is  an  odorless,  colorless  fluid  that  is 
stored  in  tanks,  usually  located  outside  the  protected 
room.  It  vaporizes  upon  release  and  is  heavy  enough 
to  stay  in  the  room  and  prevent  anything  from  reignit¬ 
ing.  (Other  clean  agents,  such  as  Inergen  and  FM- 
200,  are  stored  as  gas,  not  liquid— which  requires 
more  tanks.)  “It  dries  25  times  more  quickly 
than  water,”  says  Ziemba.  “We  can  dip  a 
painting  or  book  in  the  stuff,  pull  it  out,  and 
it’s  dry  with  no  damage.”  Sapphire  also  leaves 
no  residue,  making  cleanup  a  relative  breeze. 
It  can  work  alongside  a  water  sprinkler  sys¬ 
tem  or  by  itself. 

According  to  Ziemba,  a  Sapphire  system 
costs  $30  to  $40  per  square  foot.  That's  more 
expensive  than  a  sprinkler  system  but  less 
than  Inergen.  Ziemba  touts  the  fact  that  Sapphire  is  a 
sustainable  clean  agent:  “It  will  never  be  legislated 
out  of  use,”  he  says,  which  Tyco  uses  as  a  selling 
point  when  talking  with  potential  customers. 

Keeping  Things  Up 
and  Running 

One  reason  clean  agents  have  made  headway  in 
protecting  areas  such  as  control  rooms,  tape  storage 
rooms  and  data  processing  centers  is  that  those 
areas  are  critical  to  business  continuity.  If  a  fire 
strikes  one  of  those  areas  or  if  a  sprinkler  system 
goes  off,  it  could  be  catastrophic  to  a  company, 
particularly  if  there’s  not  a  redundant  facility.  “The 
objective  is  to  have  no  downtime  or  as  little  downtime 
as  possible,”  says  Mark  Conroy,  senior  fire  protection 
engineer  at  the  National  Fire  Protection  Association. 

Ziemba  says  Tyco  has  about  40  Sapphire  cus¬ 
tomers  in  the  United  States  and  more  than  200  over¬ 
seas,  including  museums,  hospitals,  libraries  and 
manufacturing  plants.  -ToddDatz 

For  More  Information 

Tyco  Fire  and  Security 

www.tycofireandsecurity.com/lnternet 
Provides  information  on  Sapphire  and  other  fire 
safety  products. 

National  Fire  Protection  Association 

www.nfpa.org 

The  NFPA  is  the  standards-setting  body  for  fire, 
electric  and  building  safety. 


January  2005  www.csoonline.com  61 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Sales  and  Services 

CSO  Sales  Offices 

President  and  CEO 

Walter  Manninen  •  508  935-4101 

Group  Publisher 

Gary  J.  Beach  •  508  935-4202 

Publisher  Bob  Bragdon  •  508  935-4443 

Executive  VP  Sales/Custom  Publishing 
Ellen  Romanow  •  508  935-4796 

East  Coast 

East  Coast  Regional  Manager 
Roz  Burke  •  508  935-4163 

Regional  Sales  Director 
Kathy  Powers  •  201  634-2331 

Sales  Assistant 

Christine  Hopkins  •  508  988-7836 

Midwest 

Regional  Sales  Director 
Robert  E.  Sawdon  •  512  306-9801 

Senior  District  Sales  Manager 
Beth  DeVillez  •  847  441-3140 

West  Coast 

Western  Regional  Sales  Manager 
Mary  Sinclair  •  415  975-2691 

Senior  Regional  Sales  Manager 
Ai  Collins  *415  975-2686 

List  Services 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 

List  Services  Account  Executive 
Stephanie  Roy  •  508  935-4151 

Online  Services 

VP/Online  Sales 

Lisa  Brown  •  508  935-4470 

Online  Sales  Manager 
Michael  McPhee  •  508  935-4611 

Custom  Publishing 

Group  Director 

Michael  Siggins  •  508  988-6763 
Director  Mary  Gregory  •  508  988-6765 

Director  of  Content  Development 

Tom  Field 

Project  Managers 

John  Danielowich,  Amy  Greenleaf, 
Kristen  Waelde 

Production 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 


Senior  Production  Coordinator 

Lisa  Stevenson 

Production  Coordinator 
Stephanie  Naughton 

Executive  Programs 

Senior  VP/Executive  Programs 

Jennifer  Richards 

Conference  Management  VP 
Cynthia  Mollus 

Marketing  Services  Director 
Shellie  Rapson  James 

Business  Development  Director  John  Vulopas 
Program  Operations  Manager  Brian  Fuce 
Marketing  Manager  Glede  Kabongo 

Senior  Client  Relations  Specialist 
Sandra  J.  Hughey 

Senior  Logistics  Coordinator  Michael  Barbato 
Event  Planning  Director  Amy  Turell 

Senior  Customer  Service  Coordinator 

Sarah  Yee 

Marketing 

Executive  VP/CMO 

Cathy  O'Leary  Hayes 

VP/News  and  Information  Susan  Watson 
Publicist  RickSheehy 
Publicist  Lori  Piscatelli 

Marketing  Research  Director 

Bridget  Cammarata 

Marketing  Research  Manager 

Dylan  DiGregorio 

Marketing  Comm.  Director  Sue  Yanovitch 

Partnership/Sponsorship  Coordinator 

Lynn  Holmlund 

Circulation 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 
Subscription  Svcs.  Supervisor  Tina  Pescaro 

Reprint  Services 

For  article  reprints  (500  quantity  or  more), 
please  contact  Keith  Williams  at  PARS 
International  at  212  221-9595  x319  or  e-mail 
keith@parsintl.com.  For  further  sales  infor¬ 
mation,  visit  www.csoonline.com/reprints/ 
index.html. 


CSO  Contact 
Information 

Editorial,  Advertising  and  Business  Offices 

492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208,  508  872-0080. 

Postal  Information 

CSO  (ISSN  1540-904x)  is  published  monthly 
by  CXO  Media  Inc.,  492  Old  Connecticut 
Path,  P.O.  Box  9208,  Framingham,  MA 
01701-9208.  Periodicals  Postage  Paid  at 
Framingham,  MA  01701,  and  at  additional 
mailing  offices.  Canadian  Publications  Mail 
agreement  number  1902075.  CANADIAN 
POSTMASTER:  Please  return  undeliverable 
copy  to  P.O.  Box  1632,  Windsor,  ON  N9A7C9. 

Permissions 

Copyright  2004  by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of  material  appear¬ 
ing  in  CSO  is  forbidden  without  written  per¬ 
mission.  Send  requests  to  Andrew  Burrell, 
CXO  Media  Inc.,  492  Old  Connecticut  Path, 
Framingham,  MA  01701.  Telephone 
508  935-4785.  E-mail  aburreli@cxo.com. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3  per  copy 
of  the  article,  plus  $.50  per  page  is  paid 
directly  to  Copyright  Clearance  Center, 

27  Congress  Street,  Salem,  MA  01970. 
Please  specify:  ISSN  1540-904x.  Permission 
to  photocopy  does  not  extend  to  con¬ 
tributed  articles  followed  by  this  symbol:  $. 

Subscriptions 

CSO  is  free  to  qualified  readers  in  the 
United  States  and  Canada.  To  apply, 
use  our  online  subscription  form  at 
www.csoonline.com/subscribe.  Subscrip¬ 
tions  are  also  available  on  a  paid  basis  at  a 
rate  of  $70  for  the  U.S.  and  Canada  and 
$95  for  international  (payable  in  U.S.  funds 
only)  and  may  be  ordered  online  at 
www.csoonline.com/subscribe/services.html 
or  send  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065-3482.  Please  allow 
four  to  six  weeks  for  a  new  subscription  to 
begin.  Single  copies  of  CSO  may  be  pur¬ 
chased  at  a  rate  of  $9  to  the  U.S.  and 
Canada  and  $15  international.  Prepayment 
is  required,  payable  in  U.S.  funds. 

Change  of  Address 

Please  go  to  www.omeda.com/custsrv/cso 
and  follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to  CSO,  P.O.  Box 
3482,  Northbrook,  IL  60065.  Printed  in  the 
USA. 


Index  of  Companies 
and  Advertisers 

Page  numbers  refer  to  the  first  page  of  the 
article(s)  in  which  the  company  has  a  sub¬ 
stantial  mention.  This  index  is  provided  as  a 
service  to  readers.  The  publisher  does  not 
assume  any  liability  for  errors  or  omissions. 


Company  Index 

@stake  Inc . 59 

3M  Co . 59 

Boston  Scientific  Corp . 19 

ConocoPhillips  . 19 

Dreams  PLC  . 38 

eBay  Inc . 27 

First  Data  Corp . 38 

First  Horizon  National  Corp . 38 

Foundstone  Inc . 59 

Genzyme  Corp . 38 

Great  Lakes  Chemical  Corp . 59 

International  Data  Corp . 30 

Internet  Security  Systems  Inc . 59 

J.P.  Freeman  Co.  Inc . 38 

Microsoft  Corp . 19,  59 

Pathmark  Stores  Inc . 38 

Risk  Control  Strategies  Inc . 19 

Sandra  Jones  and  Co . 38 

SCO  Group  Inc.,  The  . 59 

Security  Innovation  Inc . 19 

Sonnenschein  Nath  &  Rosenthal  LLP  . .  .30 

Symantec  Corp . 59 

Tyco  Fire  and  Security  . 59 

Williams  Cos.  Inc.,  The  . 19 

Advertiser  Index 

Adobe  Systems  Inc . 6 

American  College  of  Forensic 

Examiners  International  . 35 

American  Dynamics  . 23 

ASIS  International . 37 

Authenex  Inc . 11 

Bose  Corp . 55 

CDW  Corp . 16 

Computer  Associates  . C4 

CXO  Media  Inc . 25,  26,  34,  36,  58,  63 

HID  . 5 

Information  Systems  Audit  & 

Control  Assoc . 18,  29 

Intellitactics . 25a 

Internet  Security  Systems  . 12 

NetlQ  Corp . 2 

Nokia  Corp . 21 

RSA  Conference  2005  . 53 

RSA  Security  Inc . 15 

Symantec  Corp . C2 

VeriSign  Inc . 9,  C3 


62  www.csoonline.com  January  2005 


DON’T  BE  THROW 

by  the  next  CURVE  BALL 

that  comes  your  way 

Join  the  strategic  online  forum  for  today’s  top 
security  executives.. .AND  BE  PREPARED 


www.CSOonline.com 


^••QUrce 


m 


Pr«ctlc 


"irormatlorTc 

er*h'P  «, 

"IT R 

***  c*>'>Unu*|. 


■ 

W  Search 

Hr  *>'*«  « 

|  Ab°ut  Us 

P  Current 
:r*v'o«»  in 
Pr/otUnfc, 
-«t»*«T/fcor  s 


cnticai 


:«Hty 


r <*«•»> 


HE  a'arn-i9(j 
0  A' 4  "•« 
Birr-" 

■  r, 

■  ■ 

M  L««d«r,h,p 

■ 

I  **>««  s.t.Jr, 

1^-" 
k  rur,<*«m»r,i«fs 

I  Ko'ourcm 

asrsa*- 


»*  Sfortej 
1  tl 
Th^kC*P‘  4 
*  JOO.,  s. 


s»sks 

«"»P«ovT 


,ri,’orm<Jti0n 
pract»c®s  a, 
Critical  data 


Ptofct 


f  *dVl*Or 

I  Jabs 

Hoye^ 


®  p«tdp  yj 

*  *oo»  b.ct, 


CSOonline.com  is  a  unique  resource  for  CSOs  and 
other  top  security  executives.  Gain  access  to  the  tools 
you  need  to  make  the  right  decisions  to  stay  ahead  of 
the  curve. 

»Talk  with  security  industry  experts  and  the 
award-winning  CSO  magazine 
editorial  team 


»Connect  with  your  peers-  CSOs 
and  other  security  leaders 

»Stay  current  on  emerging  secu¬ 
rity  issues  and  key 
challenges  you  face 

»Discuss  shared  problems  and 
viable  solutions  with  fellow 
CSOs 


Additional  resources  on  CSOonline.com: 

TOPIC-FOCUSED  RESEARCH  CENTERS  provide  in-depth 
examination  of  important  security  topics  with  critical 
articles,  research,  analyst  reports,  events,  case  studies 
and  more. 

WEB-EXCLUSIVE  CONTENT  updated  daily 


»Leverage  successful  strate¬ 
gies  from  practitioners  and 
analysts 


OPT-IN  NEWSLETTERS  keeping  you 
up  to  date  on  leadership  trends,  career 
strategies,  and  new  technologies. 

EXTENSIVE  LIBRARY  OF  WHITE 
PAPERS  on  topics  such  as  enterprise 
security,  risk  analysis,  identity  manage¬ 
ment  and  much  more. 


The  Kcsuuilc  tur 

Security  Executives 


Witty  Worms 


Great 
Moments 
in  Vulnerabm 
Disclosure 


YEAR 


VULNERABILITY  DESCRIPTION 


PROTECTION 


RECOVERY 


20,000  B.C. 


FIRE!!! 
rrrrnnnhh! 
HOT!!  rrnh! 
arnnh! 


WHITE  LIGHT!  SKY!  BLIND!  rrrnh!  RUN!  rrnnh!  RUN! 

GROUND  DANCE  ORANGE!  rnnh! 

TREES  DANCE  ORANGE!  arrrrnh! 

MAN!  WOMAN!  arrnh!  ALL! 


RAIN!  HOPE 
SKY  RAIN! 
arrrnh! 


400  B.C. 

Beverages 
easily  poisoned 
with  hemlock 

Paralysis  begins  in  feet,  ascends,  with 
mind  remaining  clear  until  the  end. 

Death  arrives  calmly  and  peacefully. 

Do  not  anger  gods  with  dialectical 
arguments  over  concepts  of  piety  and 
virtue.  This  will  corrupt  youths  and 
interfere  with  state  religion. 

None.  You  must 
rebuild  philoso¬ 
phy  with  unpoi¬ 
soned  teachers. 

1773  A.D. 

Holes  in  port 
security  open 
perimeter  to 
attack 

Allows  tea-based  DDOS  (Distributed 
Denial  of  Sovereignty)  attack.  Patriots 
disguised  as  Mohawks  infiltrate  King's 
ships;  destroy  tax-free  payload;  incite 
widespread  revolt.  Similar  effects 
noted  as  far  away  as  France. 

Try  ceasing  taxation  without  repre¬ 
sentation.  (Might  be  too  late.) 

Annex  India. 

1912  A.D. 

Weak  hulls 

Design  flaws  make  large  ocean  liners 
susceptible  to  Iceberg  Attack  (Hubris 
variant). 

Patching  is  impracticable,  so  build 
contingency  plans  despite  "unsink- 
able”  marketing  claims;  even  if  you're 
not  sure  whether  you’re  affected,  wake 
up  captain;  increase  lifeboat  budget. 

Telegraph  SOS; 
fill  lifeboats; 
wait  for  emer¬ 
gency  backup. 

2004  A.D.* 

Witty-A  worm 

Sends  UDP  packet  from  port  4000  to 

Block  port  4000;  download  patch. 

None. 

random  ports  at  random  IP  addresses; 
attempts  to  write  64KB  of  data  to  a 
random  location  on  physical  disks, 
destroying  them;  repeats  indefinitely. 


2019  A.D. 


"InternetEnd” 
multimodal  air¬ 
borne  bacterial 
worm 


Infects  and  destroys  every  computer  RUN!  rrnnh!  RUN! 
within  a  mile.  Attack  vectors  include 
wireless  access  points,  power  lines, 
cat-5  cable,  DVDs,  cell  phones,  satel¬ 
lite  dishes,  radio  transmissions  and 
light  breezes. 


RAIN!  HOPE 
SKY  RAIN! 
arrrnh! 


•REAL  VULNERABILITY.  DETAILS  COURTESY  OF  SOPHOS.COM 


64  www.csoonline.com  January  2005 


ILLUSTRATION  BY  RED  NOSE  STUDIOS 


PROACTIVE 

INTELLIGENCE 


REPORT  LAST  SCAN:  05/01/2004 


REPORT  FOR  NAY  31  —  JUN  08  2004 


REPORT  LAST  SCAN  05/01/2004 


* 

\ 

Backdoors 

Default  community  names 
of  the  SNMP  Agent 

Usii\g  NetBIOS  formation' 

frorr\  a  wind '.jfMflBSj 


%  OF  TOTAL 


REPORT  FOR  08/18 


24/7  MO NITORING 


i 


4 


08/18  08/18 


TOTAL  NETWORK 
VISIBILITY 


REAL-TIME 

CORRELATION 


VeriSign  Managed  Security  Services 

Where  visibility  and  intelligence  overpower  fear  and  doubt. 


VeriSign'  Managed  Security  Services  lets  you  take  a  proactive  stance  on  security.  How?  By  continually 
monitoring  and  correlating  data  across  firewall,  IPS,  IDS,  VPN,  and  endpoint  systems.  By  integrating  and 
leveraging  these  unique  insights  with  continuous  vulnerability  assessments  and  the  advanced  data  that 
comes  from  handling  billions  of  global  email,  DNS,  and  e-commerce  interactions  every  day.  And  by  processing 
over  250-million  daily  security  events  across  some  of  the  world’s  most  sensitive  networks.  VeriSign  also 
offers  an  award-winning  team  of  hundreds  of  security  experts,  ready  to  monitor  and  protect  your  network 
24/7.  For  more  on  how  our  Managed  Security  Services  can  provide  you  with  a  comprehensive  view  of  your 
network’s  health  and  security,  visit  www.verisign.com/dm/mss.  VeriSign.  Where  it  all  comes  together.™ 


©2004  VeriSign.  Inc.  All  rights  reserved.  VeriSign.  the  VeriSign  logo.  "Where  it  all  comes  together."  and  other  trademarks,  service  marks,  and  designs  are  registered  or  unregistered  trademarks  of  VeriSign  and  its  subsidiaries 
in  the  United  States  and  in  foreign  countries. 


It  takes  an  integrated  security  solution  to  make  sure  the  right  people 
have  the  right  access  at  the  right  time. 

eTrusf  Identity  and  Access  Management  Solutions 

These  days,  a  vital  aspect  of  security  management  is  providing  customized  levels  of  access  for  countless  employees 
and  partners  while  also  protecting  your  customers  from  identity  theft.  That's  one  complicated  job-and  one  that 
can  be  made  much  easier  with  CA's  eTrust  Identity  and  Access  Management  (1AM)  Solutions.  They  enhance  security 
and  reduce  costs  by  automating  processes  and  enabling  self-administration,  in  addition  to  providing  policy-based 
cross-platform  protection  for  web,  mainframe,  and  application  resources  enterprise  wide.  To  find  out  how  CA's  1AM 
solutions  can  improve  your  business,  attend  one  of  our  workshops,  ca.com/etrust/workshop 


•£■  2004  Computer  Associates  Inter  national.  Inc.  (CA).  All  rights  reserved. 


Computer  Associates® 


